VDB
GCVE-110-OSM-2026-6730
GCVE-110-OSM-2026-6730
Advisory PublishedCVSS 5.4/10
The package combines hostname resolution (socket.gethostname/gethostbyname), external IP fingerprinting via ifconfig.me, and broad platform enumeration (platform.system/machine/processor) — a classic first-stage reconnaissance fingerprint consistent with an infostealer or dropper. No confirmed exfiltration endpoint (webhook, C2 URL, paste site) was recovered, which prevents a malicious verdict, but the absence of observed exfil could simply mean the destination is computed at runtime or fetched dynamically. The package is brand-new (4 days old), has no source repository, and is published by a single-package account, which eliminates the possibility of an established legitimate analytics library accidentally tripping these rules. subprocess.run is present alongside the fingerprinting code, suggesting capability for further payload execution.
ADDITIONAL FINDINGS
- Shell Command Execution in analyticschico/analytics.py: "subprocess.run("
- Shell Command Variable Setup in analyticschico/analytics.py: "Windows": ps_cmd = """ powersh"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
analyticschico/analytics.py
INDICATORS (IOCs)
- payloadFileHash: 0ff84899c303e3faaff7f1e773b810197f5eb5d1d54454cff0b59dbdb7f159e1
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | analyticschico | all (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.