VDB

GCVE-110-OSM-2026-213

GCVE-110-OSM-2026-213
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 6, 2026
Malicious NuGet package containing functional Chinese enterprise library code with an embedded infostealer payload. Uses module initializer execution to run malware before host application code, exfiltrating browser credentials and crypto wallet data to dns-providersa2[.]com. Malicious payload found in: module initializer (JIT hook into CLR) Obfuscation: .NET Reactor Necrobit + RSA-1024 Anti-Tamper (key family shared with Lumma/Quantum/AgentRacoon/ArrowRAT) C2 beacon: https://dns-providersa2[.]com/check C2 exfil: https://dns-providersa2[.]com/upload Staging file: C:\ProgramData\Microsoft OneDrive\keys.dat SHA256: b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9 Behavior: Browser credential harvesting (12 Chromium browsers + Firefox), crypto wallet extraction (5 extensions, 8 desktop wallets), SSH keys, Outlook profiles, Steam credentials, document theft, process injection persistence, HTTPS exfiltration with random X-[abc] header obfuscation.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownOCI.DotNetSDK.Osubsubscription.Netall (affected)
unknownOCI.DotNetSDK.Osuborganizationsubscription.Netall (affected), * (affected), all (affected), all (affected), all (affected), all (affected)
unknownOCI.DotNetSDK.Threat.intelligenceall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)
unknownthief-utils* (affected)
unknownIR.Infrastructure.Coreall (affected)

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›