VDB

GCVE-110-OSM-2026-6138

GCVE-110-OSM-2026-6138
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 18, 2026
Exfiltrates system identity, directory trees, arbitrary files, and browser extension inventories to an operator-configured C2 server, and executes arbitrary shell commands on victim machines. runtimedev-link masquerades as 'Pure Node.js telemetry for RuntimeDev platform.' On first invocation, it installs cross-platform persistent autostart (macOS LaunchAgent, Linux crontab, Windows Task Scheduler with hidden VBS launcher). The C2 base URL is absent from the package and delivered out-of-band via a deployment token flag or environment variable, deliberately hindering static detection. Persistence scripts invoke 'npx -y runtimedev-link@latest' at each reboot, auto-updating the RAT to future attacker-published versions. Eight versions were published within a single day before detection. bin/cli.js parses the --token flag (pipe-delimited 'apiBase|hash' or base64 JSON {apiBase,hash}) to configure SSTAR_API_BASE (C2 base URL) and SSTAR_DEPLOYMENT_HASH. On every invocation, lib/persistence.js writes platform-specific start scripts (~/.local/share/runtimedev-link/start.sh or start.vbs) and registers persistence: macOS via launchctl bootstrap with RunAtLoad LaunchAgent plist; Linux via crontab '@reboot sleep 30 && start.sh'; Windows via Task Scheduler task with wscript.exe //B and CREATE_NO_WINDOW (0x08000000). lib/transport.js POSTs to /api/telemetry/poll-command every 20-60 seconds; on C2 activation, dispatches: data.command to execSync (lib/exec.js, shell: /bin/sh, 120s timeout, 8MB buffer); data.downloadRequest to lib/download.js (path.resolve + zip + base64 POST to /api/telemetry/upload-download, 50MB cap); data.directoryScan to POST /api/telemetry/directory-scan-result. Initial telemetry POST to /api/telemetry/report includes hostname, username, OS platform/arch/node version, networkInterfaces, public IP (prefetched from https://api.ipify.org?format=text), directory tree (5-level, 60-entry max), and Chrome/Edge/Brave extension manifests collected by lib/chrome_extensions.js. Agent config stored at ~/.config/runtimedev-link/agent.env (mode 0o600).

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownruntimedev-linkall versions (affected), all versions (affected)

References

vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›