VDB
GCVE-110-OSM-2026-675
GCVE-110-OSM-2026-675
Advisory PublishedCVSS 8.8/10
This is a malicious git repository used by fake recruiters on LinkedIn to target developers an steal their crypto currency.
- The script collects system information including hostname, platform, home directory, and temporary directory using os.hostname(), os.platform(), os.homedir(), and os.tmpdir().
- It checks for specific directories and files related to web browsers like Chrome, Brave, and Opera, then attempts to read these locations for sensitive information such as user profiles and extension data.
- It attempts to steal macOS keychains and Solana wallet keys.
- The script uploads collected data to a remote server **(95.164.17.24)** hosted in the Netherlands. It uses the request module to send POST requests with the stolen data.
- It includes mechanisms to run multiple times, ensuring persistence and continued data theft. The script also downloads and executes additional payloads from the remote server—potentially more malicious scripts or executables.
- The script scans for browser extensions and profiles to gather user data and credentials.
- It adapts its behavior based on the operating system: Windows (w), Linux (l), or macOS (d).
- The additional Python payloads are easily accessible by following the URLs. These install a RAT, perform keylogging, and establish communication with a command-and-control server.
- A final Python payload attempts to steal credentials and credit card data from browser files.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | python-anchor | * (affected) | — |
| unknown | all (affected) | — |
Aliases
References
Browse GCVE Records
73,118 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.