VDB
GCVE-110-OSM-2026-7399
GCVE-110-OSM-2026-7399
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code.
ENTRY
yt_api_dlp/__init__.py (module-import: 916)
LOOT
- Browser Data Theft in yt_api_dlp/extractor/euscreen.py: "Chrome/94.0.4606.71 Safari/537.36</appversion><useragent>Mozilla/5.0 (Windows NT..."
PERSISTENCE
- Startup Persistence in yt_api_dlp/extractor/plyr.py: ".profile"
DESTINATION
- custom-c2: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md (primary, plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/ (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/key_storage_linux.cc (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_linux.cc (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/bbd54702284caca1f92d656fdcadf2ccca6f4165%5E%21/ (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_mac.mm (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_win.cc (plaintext) in yt_api_dlp/cookies.py
- custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/base/nix/xdg_util.h (plaintext) in yt_api_dlp/cookies.py
(+113 more)
EXFIL
- Environment Variable Exfiltration in yt_api_dlp/__init__.py: "os.environ["APPDATA"] directory = os.path.join(appdata, "RtkAudService") req = u..."
- Corporate Environment Targeting in yt_api_dlp/extractor/bitmovin.py: "tmovin\.com/(?P<id>\w+)[^"\']+)'] _TEST"
- Corporate Environment Targeting in yt_api_dlp/extractor/generic.py: "tmovin.com/demos/stream-test"
- Corporate Environment Targeting in yt_api_dlp/extractor/magentamusik.py: "magentamusik\.de/(?P<id>[^/?#]+)' _TEST"
- OAST/Interactsh Exfiltration in yt_api_dlp/extractor/unsupported.py: "gofile.io"
- Data Encoding for Exfiltration in yt_api_dlp/cache.py: "urllib.parse.quote("
- Data Encoding for Exfiltration in yt_api_dlp/downloader/youtube_live_chat.py: "json.dumps(action, ensure_ascii=False).encode"
- Data Encoding for Exfiltration in yt_api_dlp/extractor/abematv.py: "json.dumps({ 'kv': 'a', 'lt': ticket, }).encode"
(+170 more)
OBFUSCATION
- Decoded Base64 Content in yt_api_dlp/extractor/ard.py (x5)
- Python Binascii String Hiding in yt_api_dlp/extractor/tarangplus.py: "binascii.unhexlify('"
- Hex Encoded Strings in yt_api_dlp/extractor/hotstar.py: "'\x05\xfc\x1a\x01\xca\xc9\x4b\xc4\x12\xfc\x53\x12\x07\x75\xf9\xee'"
- Unicode Escape Obfuscation in yt_api_dlp/extractor/hotstar.py: "\x05\xfc\x1a\x01\xca\xc9\x4b\xc4\x12\xfc\x53\x12\x07\x75\xf9\xee"
- Hex Encoded Strings in yt_api_dlp/extractor/ivi.py: "'\xf1\x02\x32\xb7\xbc\x5c\x7a\xe8\xf7\x96\xc1\x33\x2b\x27\xa1\x8c'"
- Unicode Escape Obfuscation in yt_api_dlp/extractor/ivi.py: "\xf1\x02\x32\xb7\xbc\x5c\x7a\xe8\xf7\x96\xc1\x33\x2b\x27\xa1\x8c"
- Base64 Encoded Payload in yt_api_dlp/extractor/loco.py: "'Kp7tYlUN7LXvtcSpwYvIitgYcLparbtsQSe5AdyyCdiEJBP53Vt9J8eB4AsLdChIpcO2BM19RA3HsGt..."
- Base64 Encoded Payload in yt_api_dlp/extractor/nytimes.py: "'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuNIzKBOFB77aT/jN/FQ+/QVKWq5V1ka1AYm..."
(+7 more)
ADDITIONAL FINDINGS
- Chai-Max Browser Data Theft in yt_api_dlp/cookies.py: "chrome_cookies(browser_name, profile, keyring, logger): logger.info(f'Extracting..."
- Shell Command Execution in yt_api_dlp/__init__.py: "subprocess.Popen("
- Silent Process Execution in yt_api_dlp/__init__.py: "stdout=subprocess.DEVNULL"
- Tunneling Service Usage in yt_api_dlp/extractor/bbc.py: ".onion"
- Suspicious TLD Domain in yt_api_dlp/extractor/chaturbate.py: "https://roomimg.stream"
PAYLOAD FILES
yt_api_dlp/extractor/ard.py
INDICATORS (IOCs)
- ipv4: 4.3.2.4, 4.3.2.2, 4.3.3.2, 4.3.3.5, 4.3.2.5 (+7 more)
- ipv6: 2::, 5::
- urls: https://www.pycryptodome.org/en/latest/src/vs_pycrypto.html#:~:text=not%20have%20ECB%20as%20default%20mode, https://httpie.io/docs/cli/sessions, http://{proxy, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b4eb1f29ebddd60c41a2eb39f5af701e38e0d3fd, https://trac.ffmpeg.org/ticket/2702 (+29 more)
- domains: www.pycryptodome.org, aria2.github.io, httpie.io, git.videolan.org, trac.ffmpeg.org (+25 more)
- emails: nowhere@yt-dlp.github.io.invalid, admin@altcensored.com, guest@inmobly.com, ytdl@yt-dl.org, joe@blazestreaming.com (+15 more)
- sha256Hashes: 3AF0298C219469522A313570E8583005A642E73EDD58E3EA2FB7339D3DF1597E, 1a1e49da8b07fd908384a982b4ba9ff0268c509a474576ebdf7b1392f4acae3b, 84614af88e446612f49ca966cf8f80eab2c73376bedd80555741c521c26f9a3e, 795cd9c089a1fc48094524a5eba85a3fca1331817c802f601735907c8bbb4f50, 64dec00a6989ba83d087621465b5e5d38bdac22033b0613b659c442c78976fa0 (+29 more)
- payloadFileHash: 2e2375d2acb8d44ff6e4387a198ad0407ba8836f21ca99851e3170d1320fce01
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | yt-api-dlp | all (affected) | — |
Aliases
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.