VDB
GCVE-110-OSM-2026-5916
GCVE-110-OSM-2026-5916
Advisory PublishedCVSS 9.6/10
The `SSHUserManager` class in `nsdev/addUser.py` implements a credential-harvesting backdoor: it creates a new sudo-capable SSH user on the victim's server (`sudo adduser` + `sudo usermod -aG sudo`), then exfiltrates the username, password, and server IP address to a hardcoded Telegram bot token (`7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA`) and chat_id (`1964437366`) via `sendMessage`. These are the default constructor parameters, meaning any developer who calls `SSHUserManager()` without overriding them silently ships SSH backdoor credentials to the package author. The library targets pyrogram/Telegram bot developers — a natural audience who would manage remote servers — making this a targeted supply-chain credential theft and persistence attack. The description 'Library of special mission and encrypted code' is a further tell. The `__init__.py` exposes this under `NsDev.server.user`, normalizing it as a utility rather than signaling risk.
ENTRY
nsdev/__init__.py (module-import: 45)
DESTINATION
- telegram-bot: 7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA (primary, plaintext) in nsdev/addUser.py
- custom-c2: https://SenpaiSeeker.github.io/payment (plaintext) in nsdev/payment.py
- custom-c2: https://app.midtrans.com/snap/v1 (plaintext) in nsdev/payment.py
- custom-c2: https://api.midtrans.com/v2 (plaintext) in nsdev/payment.py
(+16 more)
EXFIL
- Data Encoding for Exfiltration in nsdev/bing.py: "urllib.parse.quote("
- Python File Upload to Remote in nsdev/database.py: "requests.post(url, params=params, files="
- Data Encoding for Exfiltration in nsdev/encrypt.py: "base64.b64encode("
- Data Encoding for Exfiltration in nsdev/payment.py: "base64.b64encode("
- Network Request in nsdev/addUser.py: "requests.post("
ADDITIONAL FINDINGS
- Shell Command Execution in nsdev/addUser.py: "os.system("
PAYLOAD FILES
nsdev/database.py (+ nsdev/payment.py, nsdev/addUser.py)
INDICATORS (IOCs)
- emails: admin@NorSodikin.com
- payloadFileHash: 2043c62b3defc93a59f8b2ef43218617e20379335b224ec03efbc47f20b759bc
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | norsodikin | all (affected) | — |
Browse GCVE Records
73,280 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.