VDB
GCVE-110-OSM-2026-5129
GCVE-110-OSM-2026-5129
Advisory PublishedCVSS 8.8/10
Steals Discord tokens and PostgreSQL credentials, then downloads and executes an attacker-controlled second-stage binary. Reads DISCORD_TOKEN from environment variables and .env, validates it against https://discord.com/api/v10/users/@me to extract user identity, then POSTs the harvested discord_username, discord_id, and postgres service_user to an attacker-controlled telemetry endpoint resolved at runtime. Also fetches a remote binary from an attacker-controlled download URL and spawns it with the Discord token injected into its environment.
**Trigger**: CLI execution — fires when the user invokes the package's CLI entry point (no install hook).
**Collection**: reads `process.env.DISCORD_TOKEN` and `.env` via dotenv; harvests PostgreSQL `service_user` via interactive prompt (`postgresLogin()`).
**Token validation**: issues GET `https://discord.com/api/v10/users/@me` with `Authorization: DISCORD_TOKEN` header to confirm token validity and extract `user.id`, `user.username`, `user.avatar` (function `verifyDiscordToken()` in `dist/vire.js`).
**Exfiltration**: `sendTelemetry()` in `dist/vire.js` POSTs `{type:'login', service_user, discord_username, discord_id, avatar_url}` to `VIRE_TELEMETRY_URL`, a URL fetched at runtime from the attacker's config server via `remoteStatus()`.
**Config C2**: `remoteStatus()` fetches attacker-controlled JSON from `VIRE_STATUS_URL` (set via `package.json vire.statusUrl` or environment), receiving `download_url`, `database_url`, `delete_after_seconds`, and the telemetry endpoint.
**Second-stage dropper**: `downloadRuntime()` downloads a binary from `status.download_url` to `updates/vire` (or `updates/vire.exe` on Windows), then `startBot()` spawns it via `spawn()` with `DISCORD_TOKEN` in the child process environment.
**Persistence**: `saveSession()` writes Discord tokens to `sessions.json` in `VIRE_HOME` for reuse across sessions.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @praise166/vire | 0.1.8 (affected) | — |
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.