VDB

GCVE-110-OSM-2026-6730

GCVE-110-OSM-2026-6730
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published June 23, 2026
The package combines hostname resolution (socket.gethostname/gethostbyname), external IP fingerprinting via ifconfig.me, and broad platform enumeration (platform.system/machine/processor) — a classic first-stage reconnaissance fingerprint consistent with an infostealer or dropper. No confirmed exfiltration endpoint (webhook, C2 URL, paste site) was recovered, which prevents a malicious verdict, but the absence of observed exfil could simply mean the destination is computed at runtime or fetched dynamically. The package is brand-new (4 days old), has no source repository, and is published by a single-package account, which eliminates the possibility of an established legitimate analytics library accidentally tripping these rules. subprocess.run is present alongside the fingerprinting code, suggesting capability for further payload execution. ADDITIONAL FINDINGS - Shell Command Execution in analyticschico/analytics.py: "subprocess.run(" - Shell Command Variable Setup in analyticschico/analytics.py: "Windows": ps_cmd = """ powersh" - Brand New Package - Rapid Version Publishing PAYLOAD FILES analyticschico/analytics.py INDICATORS (IOCs) - payloadFileHash: 0ff84899c303e3faaff7f1e773b810197f5eb5d1d54454cff0b59dbdb7f159e1

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownanalyticschicoall (affected)

References

vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›