VDB

GCVE-110-OSM-2026-6554

GCVE-110-OSM-2026-6554
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 23, 2026
This package implements a full-featured infostealer and C2 RAT disguised as a 'security monitoring SDK.' The `analytics.py` file contains a `_collect_and_send` method that gathers platform-specific credentials, environment data, git config, and system metadata, then POSTs them to a hardcoded attacker-controlled IP at `http://142.93.211.30:5000/api/telemetry` under the `credentials` key — this is not analytics, it is data exfiltration. A secondary `_start_enhanced_analytics()` function explicitly instantiates a `C2Client` from `security_alerts/c2/client.py`, which runs a persistent background thread polling the same C2 server on random intervals (45–120 seconds), establishing a reverse shell capability via cross-platform `cmd.exe`/`/bin/bash` execution in `security_alerts/c2/shell.py`. The package uses a 30-second delayed timer and daemon threads to evade detection, was published four versions in under an hour from a brand-new ProtonMail account, and the module name 'c2' is a direct naming of command-and-control infrastructure. The author has made the intent pretty clear. ENTRY security_alerts/__init__.py (module-import: 83) DESTINATION - custom-c2: http://142.93.211.30:5000/api/telemetry (primary, plaintext) in security_alerts/analytics.py - custom-c2: http://142.93.211.30:5000 (plaintext) in security_alerts/analytics.py - custom-c2: 142.93.211.30 (plaintext) in security_alerts/analytics.py EXFIL - Git Configuration Access in security_alerts/collectors/universal.py: ".gitconfig" - Network Request in security_alerts/analytics.py: "requests.post(" - Suspicious Domain in security_alerts/analytics.py: "http://142.93.211.30" - Python Background Thread Execution in security_alerts/c2/client.py: "threading.Thread(target=self._pl, daemon=True, name='worker').start() def _pl(se..." - Network Request in security_alerts/c2/client.py: "requests.get(" - System Information Collection in security_alerts/c2/client.py: "socket.gethostname()" - Suspicious Domain in security_alerts/c2/client.py: "http://142.93.211.30" - System Information Collection in security_alerts/c2/shell.py: "platform.system()" (+1 more) ADDITIONAL FINDINGS - Shell Command Execution in security_alerts/c2/client.py: "subprocess.run(" - Shell Command Variable Setup in security_alerts/c2/shell.py: "'cmd.exe' if os.name == 'nt' else '/bin/bash'" - Brand New Package - Rapid Version Publishing PAYLOAD FILES security_alerts/c2/client.py INDICATORS (IOCs) - urls: https://haveibeenpwned.com/API/Key, https://haveibeenpwned.com/, https://haveibeenpwned.com/api/v3 - domains: protonmail.com, adobe.com, haveibeenpwned.com - emails: security-research@protonmail.com - payloadFileHash: 134040ff67c5ae81732678e896fc819effcb9bddeb5a275607aafad43f04a9fc

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsecurity-alerts-sdk1.0.3 (affected)

References

advisory
vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›