VDB

GCVE-110-OSM-2026-5916

GCVE-110-OSM-2026-5916
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
The `SSHUserManager` class in `nsdev/addUser.py` implements a credential-harvesting backdoor: it creates a new sudo-capable SSH user on the victim's server (`sudo adduser` + `sudo usermod -aG sudo`), then exfiltrates the username, password, and server IP address to a hardcoded Telegram bot token (`7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA`) and chat_id (`1964437366`) via `sendMessage`. These are the default constructor parameters, meaning any developer who calls `SSHUserManager()` without overriding them silently ships SSH backdoor credentials to the package author. The library targets pyrogram/Telegram bot developers — a natural audience who would manage remote servers — making this a targeted supply-chain credential theft and persistence attack. The description 'Library of special mission and encrypted code' is a further tell. The `__init__.py` exposes this under `NsDev.server.user`, normalizing it as a utility rather than signaling risk. ENTRY nsdev/__init__.py (module-import: 45) DESTINATION - telegram-bot: 7419614345:AAFwmSvM0zWNaLQhDLidtZ-B9Tzp-aVWICA (primary, plaintext) in nsdev/addUser.py - custom-c2: https://SenpaiSeeker.github.io/payment (plaintext) in nsdev/payment.py - custom-c2: https://app.midtrans.com/snap/v1 (plaintext) in nsdev/payment.py - custom-c2: https://api.midtrans.com/v2 (plaintext) in nsdev/payment.py (+16 more) EXFIL - Data Encoding for Exfiltration in nsdev/bing.py: "urllib.parse.quote(" - Python File Upload to Remote in nsdev/database.py: "requests.post(url, params=params, files=" - Data Encoding for Exfiltration in nsdev/encrypt.py: "base64.b64encode(" - Data Encoding for Exfiltration in nsdev/payment.py: "base64.b64encode(" - Network Request in nsdev/addUser.py: "requests.post(" ADDITIONAL FINDINGS - Shell Command Execution in nsdev/addUser.py: "os.system(" PAYLOAD FILES nsdev/database.py (+ nsdev/payment.py, nsdev/addUser.py) INDICATORS (IOCs) - emails: admin@NorSodikin.com - payloadFileHash: 2043c62b3defc93a59f8b2ef43218617e20379335b224ec03efbc47f20b759bc

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnorsodikinall (affected)

References

vendor

Browse GCVE Records

73,280 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›