VDB

GCVE-110-OSM-2026-6738

GCVE-110-OSM-2026-6738
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 27, 2026
Malicious package detected. Behaviors: data exfiltration, obfuscated code. ENTRY pyrogram/__init__.py (module-import: 24) PERSISTENCE - Startup Persistence in pyrogram/enums/__init__.py: ".profile" - Startup Persistence in pyrogram/methods/chats/update_color.py: ".Profile" - Startup Persistence in pyrogram/types/user_and_chats/chat.py: ".profile" - Startup Persistence in pyrogram/types/user_and_chats/chat_color.py: ".Profile" - Startup Persistence in pyrogram/types/user_and_chats/user.py: ".profile" DESTINATION - custom-c2: telegramplayground.github.io (primary, plaintext) in pyrogram/client.py - custom-c2: 11.22.33.44 (plaintext) in pyrogram/client.py - bitcoinAddresses: 193w5QvbXMKXgFh9LqsYLu33LTaJHJP (exfil, plaintext) - bitcoinAddresses: 163BDMPNjf3mbNLP3djgBcU9ZuvBNE (exfil, plaintext) EXFIL - System Information Collection in pyrogram/client.py: "platform.system()" OBFUSCATION - Python Exec with Encoded Content in pyrogram/methods/utilities/app.py: "exec(zlib.decompress" - IOCs Found in Deobfuscated Code in pyrogram/methods/utilities/app.py - Unicode Escape Obfuscation in pyrogram/emoji.py: "\u26f9\ufe0f\u200d\u2642\ufe0f" - recovered 2 bitcoinAddresses from decoded/deobfuscated content ADDITIONAL FINDINGS - Download Execute Delete Pattern in pyrogram/storage/sqlite_storage.py: "executor, self.conn.close) self.executor.shutdown() self._executor = None async ..." PAYLOAD FILES pyrogram/methods/utilities/app.py INDICATORS (IOCs) - ipv4: 2.1.2.9, 149.154.175.10, 149.154.167.40, 149.154.175.117, 149.154.175.53 (+7 more) - ipv6: 2001:b28:f23d:f001::, 2001:67c:4e8:f002::, 2001:b28:f23d:f003::, 2001:67c:4e8:f004::, 2001:b28:f23f:f005:: (+3 more) - urls: https://pyrogram.org, https://docs.pyrogram.org, https://docs.pyrogram.org/releases, https://docs.pyrogram.org/topics/mtproto-vs-botapi, https://liberapay.com/delivrance (+4 more) - domains: pyrogram.org, docs.pyrogram.org, liberapay.com, size.group, flag.group (+9 more) - emails: do-not-reply@pyrogram.org - sha256Hashes: C71CAEB9C6B1C9048E6C522F70F13F73980D40238E3E21C14934D037563D930F, 48198A0AA7C14058229493D22530F4DBFA336F6E0AC925139543AED44CCE7C37, 20FD51F69458705AC68CD4FE6B6B13ABDC9746512969328454F18FAF8C595F64, 2477FE96BB2A941D5BCD1D4AC8CC49880708FA9B378E3C4F3A9060BEE67CF9A4, A4A695811051907E162753B56B0F6B410DBA74D8A84B2A14B3144E0EF1284754 (+45 more) - payloadFileHash: cf1b4cd158614272b0e41e4fa785550545a69ca93200300046557065d7d1f3a6

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowninlifegramall (affected)

References

advisory
vendor

Browse GCVE Records

73,443 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›