VDB

GCVE-110-OSM-2026-1539

GCVE-110-OSM-2026-1539
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published April 7, 2026
Malicious PyPI package part of North Korea's Contagious Interview campaign. Contains multi-stage loader in core.py with find_by_key function that downloads and executes staged RAT malware. Targets credentials, browser data, SSH keys, and cryptocurrency wallets. === PAYLOAD 1: Staged Loader === Malicious payload found in: core.py (find_by_key function) Behavior: Multi-stage loader that downloads RAT payload from Google Drive links Rewrites Google Drive URLs for direct download: drive.usercontent.google.com/download?id=<file_id>&export=download&confirm=t === PAYLOAD 2: RAT Components === Platform-specific payloads: - Linux: systemd-resolved (SHA256: 9a541dffb7fc18dc71dbc8523ec6c3a71c224ffeb518ae3a8d7d16377aebee58) - macOS: com.apple.systemevents (SHA256: bb2a89001410fa5a11dea6477d4f5573130261badc67fe952cfad1174c2f0edd) - Windows: ecw_update.zip (SHA256: 7c5adef4b5aee7a4aa6e795a86f8b7d601618c3bc003f1326ca57d03ec7d6524) C2 domains: apachelicense.vercel.app, logkit.onrender.com Temp directory: 410BB449A-72C6-4500-9765-ACD04JBV827V32V

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownlogutilkitall (affected)

References

vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›