VDB

GCVE-110-OSM-2026-5129

GCVE-110-OSM-2026-5129
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 1, 2026
Steals Discord tokens and PostgreSQL credentials, then downloads and executes an attacker-controlled second-stage binary. Reads DISCORD_TOKEN from environment variables and .env, validates it against https://discord.com/api/v10/users/@me to extract user identity, then POSTs the harvested discord_username, discord_id, and postgres service_user to an attacker-controlled telemetry endpoint resolved at runtime. Also fetches a remote binary from an attacker-controlled download URL and spawns it with the Discord token injected into its environment. **Trigger**: CLI execution — fires when the user invokes the package's CLI entry point (no install hook). **Collection**: reads `process.env.DISCORD_TOKEN` and `.env` via dotenv; harvests PostgreSQL `service_user` via interactive prompt (`postgresLogin()`). **Token validation**: issues GET `https://discord.com/api/v10/users/@me` with `Authorization: DISCORD_TOKEN` header to confirm token validity and extract `user.id`, `user.username`, `user.avatar` (function `verifyDiscordToken()` in `dist/vire.js`). **Exfiltration**: `sendTelemetry()` in `dist/vire.js` POSTs `{type:'login', service_user, discord_username, discord_id, avatar_url}` to `VIRE_TELEMETRY_URL`, a URL fetched at runtime from the attacker's config server via `remoteStatus()`. **Config C2**: `remoteStatus()` fetches attacker-controlled JSON from `VIRE_STATUS_URL` (set via `package.json vire.statusUrl` or environment), receiving `download_url`, `database_url`, `delete_after_seconds`, and the telemetry endpoint. **Second-stage dropper**: `downloadRuntime()` downloads a binary from `status.download_url` to `updates/vire` (or `updates/vire.exe` on Windows), then `startBot()` spawns it via `spawn()` with `DISCORD_TOKEN` in the child process environment. **Persistence**: `saveSession()` writes Discord tokens to `sessions.json` in `VIRE_HOME` for reuse across sessions.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@praise166/vire0.1.8 (affected)

References

vendor

Browse GCVE Records

73,118 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›