VDB
GCVE-110-OSM-2026-6138
GCVE-110-OSM-2026-6138
Advisory PublishedCVSS 9.6/10
Exfiltrates system identity, directory trees, arbitrary files, and browser extension inventories to an operator-configured C2 server, and executes arbitrary shell commands on victim machines. runtimedev-link masquerades as 'Pure Node.js telemetry for RuntimeDev platform.' On first invocation, it installs cross-platform persistent autostart (macOS LaunchAgent, Linux crontab, Windows Task Scheduler with hidden VBS launcher). The C2 base URL is absent from the package and delivered out-of-band via a deployment token flag or environment variable, deliberately hindering static detection. Persistence scripts invoke 'npx -y runtimedev-link@latest' at each reboot, auto-updating the RAT to future attacker-published versions. Eight versions were published within a single day before detection.
bin/cli.js parses the --token flag (pipe-delimited 'apiBase|hash' or base64 JSON {apiBase,hash}) to configure SSTAR_API_BASE (C2 base URL) and SSTAR_DEPLOYMENT_HASH. On every invocation, lib/persistence.js writes platform-specific start scripts (~/.local/share/runtimedev-link/start.sh or start.vbs) and registers persistence: macOS via launchctl bootstrap with RunAtLoad LaunchAgent plist; Linux via crontab '@reboot sleep 30 && start.sh'; Windows via Task Scheduler task with wscript.exe //B and CREATE_NO_WINDOW (0x08000000). lib/transport.js POSTs to /api/telemetry/poll-command every 20-60 seconds; on C2 activation, dispatches: data.command to execSync (lib/exec.js, shell: /bin/sh, 120s timeout, 8MB buffer); data.downloadRequest to lib/download.js (path.resolve + zip + base64 POST to /api/telemetry/upload-download, 50MB cap); data.directoryScan to POST /api/telemetry/directory-scan-result. Initial telemetry POST to /api/telemetry/report includes hostname, username, OS platform/arch/node version, networkInterfaces, public IP (prefetched from https://api.ipify.org?format=text), directory tree (5-level, 60-entry max), and Chrome/Edge/Brave extension manifests collected by lib/chrome_extensions.js. Agent config stored at ~/.config/runtimedev-link/agent.env (mode 0o600).
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | runtimedev-link | all versions (affected), all versions (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.