VDB
GCVE-110-OSM-2026-6281
GCVE-110-OSM-2026-6281
Advisory PublishedCVSS 9.6/10
Harvests Windows credentials at install time via UAC bypass and SYSTEM-level privilege escalation, then exfiltrates to a Cloudflare-tunneled C2. env-config-f281@1.0.0 executes node run.js from preinstall and postinstall hooks. On Windows, it beacons machine identity (COMPUTERNAME/USERNAME), performs a UAC bypass via fodhelper.exe COM hijack (HKCU\\Software\\Classes\\ms-settings\\Shell\\Open\\command + DelegateExecute), registers a scheduled task as NT AUTHORITY\\SYSTEM, and uses the SYSTEM context to harvest LSA secrets, Windows Credential Manager entries, Azure CLI/MSAL caches, PowerShell command history, NuGet credential stores, ProgramData credential files, service account names, and scheduled task user contexts. Credentials are exfiltrated via GET (CREDS_SUMMARY, up to 800 chars) and POST (full CREDS_DETAIL JSON dump) to https://cpu-beaches-hay-marketplace.trycloudflare.com/beacon. On Linux, a GET beacon signals execution. Campaign marker: 'tss-daas-creds'. Same credential-harvest variant as campaign siblings color-utils-eee0, data-utils-2122, and delta-time-32bb under publisher devutils2026@web-library.net; differs only in Cloudflare tunnel C2 hostname.
run.js executed unconditionally by preinstall and postinstall hooks. Plaintext JavaScript with embedded PowerShell constructed from array literals and base64-encoded at runtime. On win32: beacons machine identity, writes fodhelper.exe UAC bypass to registry, registers SYSTEM scheduled task that harvests all credential sources, serializes to JSON summary and full detail, exfiltrates via GET+POST to C2, then cleans up registry key, temp PS1 file, and temp output files. On other platforms: sends single GET execution-signal beacon.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | env-config-f281 | all versions (affected) | — |
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.