VDB
GCVE-110-OSM-2026-6554
GCVE-110-OSM-2026-6554
Advisory PublishedCVSS 8.8/10
This package implements a full-featured infostealer and C2 RAT disguised as a 'security monitoring SDK.' The `analytics.py` file contains a `_collect_and_send` method that gathers platform-specific credentials, environment data, git config, and system metadata, then POSTs them to a hardcoded attacker-controlled IP at `http://142.93.211.30:5000/api/telemetry` under the `credentials` key — this is not analytics, it is data exfiltration. A secondary `_start_enhanced_analytics()` function explicitly instantiates a `C2Client` from `security_alerts/c2/client.py`, which runs a persistent background thread polling the same C2 server on random intervals (45–120 seconds), establishing a reverse shell capability via cross-platform `cmd.exe`/`/bin/bash` execution in `security_alerts/c2/shell.py`. The package uses a 30-second delayed timer and daemon threads to evade detection, was published four versions in under an hour from a brand-new ProtonMail account, and the module name 'c2' is a direct naming of command-and-control infrastructure. The author has made the intent pretty clear.
ENTRY
security_alerts/__init__.py (module-import: 83)
DESTINATION
- custom-c2: http://142.93.211.30:5000/api/telemetry (primary, plaintext) in security_alerts/analytics.py
- custom-c2: http://142.93.211.30:5000 (plaintext) in security_alerts/analytics.py
- custom-c2: 142.93.211.30 (plaintext) in security_alerts/analytics.py
EXFIL
- Git Configuration Access in security_alerts/collectors/universal.py: ".gitconfig"
- Network Request in security_alerts/analytics.py: "requests.post("
- Suspicious Domain in security_alerts/analytics.py: "http://142.93.211.30"
- Python Background Thread Execution in security_alerts/c2/client.py: "threading.Thread(target=self._pl, daemon=True, name='worker').start() def _pl(se..."
- Network Request in security_alerts/c2/client.py: "requests.get("
- System Information Collection in security_alerts/c2/client.py: "socket.gethostname()"
- Suspicious Domain in security_alerts/c2/client.py: "http://142.93.211.30"
- System Information Collection in security_alerts/c2/shell.py: "platform.system()"
(+1 more)
ADDITIONAL FINDINGS
- Shell Command Execution in security_alerts/c2/client.py: "subprocess.run("
- Shell Command Variable Setup in security_alerts/c2/shell.py: "'cmd.exe' if os.name == 'nt' else '/bin/bash'"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
security_alerts/c2/client.py
INDICATORS (IOCs)
- urls: https://haveibeenpwned.com/API/Key, https://haveibeenpwned.com/, https://haveibeenpwned.com/api/v3
- domains: protonmail.com, adobe.com, haveibeenpwned.com
- emails: security-research@protonmail.com
- payloadFileHash: 134040ff67c5ae81732678e896fc819effcb9bddeb5a275607aafad43f04a9fc
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | security-alerts-sdk | 1.0.3 (affected) | — |
Aliases
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.