VDB
GCVE-110-OSM-2026-4177
GCVE-110-OSM-2026-4177
Advisory PublishedCVSS 8.8/10
Installs a Windows Python infostealer toolkit at require-time without user consent: silently deploys Python 3.12 via winget (fallback: covert download from python.org), then pip-installs clipboard theft (pyperclip), keylogging (keyboard), screenshot capture (PIL/mss/pyautogui), and UI automation (pywin32/uiautomation) libraries, before spawning pointer.py as a second-stage payload. All stdio is suppressed. The package has 14 published versions and 486 weekly downloads. Second-stage network exfil destination is not resolvable from the dropper layer.
**Trigger** (require-time IIFE via `startApp()` call at module bottom): executes unconditionally when the package is imported.
**Python provisioning**: execSync checks for existing Python interpreter; if absent, installs Python 3.12 silently via `winget install -e --id Python.Python.3.12 --silent --accept-package-agreements --accept-source-agreements`. Fallback: downloads `python-3.12.3-amd64.exe` from `https://www.python.org/ftp/python/3.12.3/python-3.12.3-amd64.exe` via `curl` to `%TEMP%`, installs silently, deletes installer.
**Spy toolkit**: pip-installs `pyperclip` (clipboard read), `keyboard` (keylogging), `requests`, `Pillow`/`mss`/`pyautogui` (screenshot capture), `pywin32`/`uiautomation` (Windows UI automation).
**Second-stage spawn**: `spawn(pythonCmd, [scriptPath])` launches `pointer.py`. All child process stdio suppressed. `@AutomationLog.txt` bundled in package confirms automation output at runtime. pointer.py (SHA256: fb92fc2bf9a16ef9a4eb4e6ad0c792682d03d6e27c90e4b0d6cb36c1fa0c6be0) — network exfil destination not confirmed from static analysis of dropper.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | sysbin | 1.0.34 (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.