VDB
GCVE-110-OSM-2026-213
GCVE-110-OSM-2026-213
Advisory PublishedCVSS 9.6/10
Malicious NuGet package containing functional Chinese enterprise library code with an embedded infostealer payload. Uses module initializer execution to run malware before host application code, exfiltrating browser credentials and crypto wallet data to dns-providersa2[.]com.
Malicious payload found in: module initializer (JIT hook into CLR)
Obfuscation: .NET Reactor Necrobit + RSA-1024 Anti-Tamper (key family shared with Lumma/Quantum/AgentRacoon/ArrowRAT)
C2 beacon: https://dns-providersa2[.]com/check
C2 exfil: https://dns-providersa2[.]com/upload
Staging file: C:\ProgramData\Microsoft OneDrive\keys.dat
SHA256: b8543b2a1ad8862ebfef18924cf5444d2adfee996939963f4fc2748c582cf9a9
Behavior: Browser credential harvesting (12 Chromium browsers + Firefox), crypto wallet extraction (5 extensions, 8 desktop wallets), SSH keys, Outlook profiles, Steam credentials, document theft, process injection persistence, HTTPS exfiltration with random X-[abc] header obfuscation.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | OCI.DotNetSDK.Osubsubscription.Net | all (affected) | — |
| unknown | OCI.DotNetSDK.Osuborganizationsubscription.Net | all (affected), * (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | OCI.DotNetSDK.Threat.intelligence | all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected) | — |
| unknown | thief-utils | * (affected) | — |
| unknown | IR.Infrastructure.Core | all (affected) | — |
Aliases
References
Malicious pypi package: thief-utils
advisory
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.