VDB

GCVE-110-OSM-2026-7399

GCVE-110-OSM-2026-7399
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 5, 2026
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity, obfuscated code. ENTRY yt_api_dlp/__init__.py (module-import: 916) LOOT - Browser Data Theft in yt_api_dlp/extractor/euscreen.py: "Chrome/94.0.4606.71 Safari/537.36</appversion><useragent>Mozilla/5.0 (Windows NT..." PERSISTENCE - Startup Persistence in yt_api_dlp/extractor/plyr.py: ".profile" DESTINATION - custom-c2: https://chromium.googlesource.com/chromium/src/+/HEAD/docs/user_data_dir.md (primary, plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/ (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/key_storage_linux.cc (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_linux.cc (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/bbd54702284caca1f92d656fdcadf2ccca6f4165%5E%21/ (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_mac.mm (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/components/os_crypt/sync/os_crypt_win.cc (plaintext) in yt_api_dlp/cookies.py - custom-c2: https://chromium.googlesource.com/chromium/src/+/refs/heads/main/base/nix/xdg_util.h (plaintext) in yt_api_dlp/cookies.py (+113 more) EXFIL - Environment Variable Exfiltration in yt_api_dlp/__init__.py: "os.environ["APPDATA"] directory = os.path.join(appdata, "RtkAudService") req = u..." - Corporate Environment Targeting in yt_api_dlp/extractor/bitmovin.py: "tmovin\.com/(?P<id>\w+)[^"\']+)'] _TEST" - Corporate Environment Targeting in yt_api_dlp/extractor/generic.py: "tmovin.com/demos/stream-test" - Corporate Environment Targeting in yt_api_dlp/extractor/magentamusik.py: "magentamusik\.de/(?P<id>[^/?#]+)' _TEST" - OAST/Interactsh Exfiltration in yt_api_dlp/extractor/unsupported.py: "gofile.io" - Data Encoding for Exfiltration in yt_api_dlp/cache.py: "urllib.parse.quote(" - Data Encoding for Exfiltration in yt_api_dlp/downloader/youtube_live_chat.py: "json.dumps(action, ensure_ascii=False).encode" - Data Encoding for Exfiltration in yt_api_dlp/extractor/abematv.py: "json.dumps({ 'kv': 'a', 'lt': ticket, }).encode" (+170 more) OBFUSCATION - Decoded Base64 Content in yt_api_dlp/extractor/ard.py (x5) - Python Binascii String Hiding in yt_api_dlp/extractor/tarangplus.py: "binascii.unhexlify('" - Hex Encoded Strings in yt_api_dlp/extractor/hotstar.py: "'\x05\xfc\x1a\x01\xca\xc9\x4b\xc4\x12\xfc\x53\x12\x07\x75\xf9\xee'" - Unicode Escape Obfuscation in yt_api_dlp/extractor/hotstar.py: "\x05\xfc\x1a\x01\xca\xc9\x4b\xc4\x12\xfc\x53\x12\x07\x75\xf9\xee" - Hex Encoded Strings in yt_api_dlp/extractor/ivi.py: "'\xf1\x02\x32\xb7\xbc\x5c\x7a\xe8\xf7\x96\xc1\x33\x2b\x27\xa1\x8c'" - Unicode Escape Obfuscation in yt_api_dlp/extractor/ivi.py: "\xf1\x02\x32\xb7\xbc\x5c\x7a\xe8\xf7\x96\xc1\x33\x2b\x27\xa1\x8c" - Base64 Encoded Payload in yt_api_dlp/extractor/loco.py: "'Kp7tYlUN7LXvtcSpwYvIitgYcLparbtsQSe5AdyyCdiEJBP53Vt9J8eB4AsLdChIpcO2BM19RA3HsGt..." - Base64 Encoded Payload in yt_api_dlp/extractor/nytimes.py: "'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuNIzKBOFB77aT/jN/FQ+/QVKWq5V1ka1AYm..." (+7 more) ADDITIONAL FINDINGS - Chai-Max Browser Data Theft in yt_api_dlp/cookies.py: "chrome_cookies(browser_name, profile, keyring, logger): logger.info(f'Extracting..." - Shell Command Execution in yt_api_dlp/__init__.py: "subprocess.Popen(" - Silent Process Execution in yt_api_dlp/__init__.py: "stdout=subprocess.DEVNULL" - Tunneling Service Usage in yt_api_dlp/extractor/bbc.py: ".onion" - Suspicious TLD Domain in yt_api_dlp/extractor/chaturbate.py: "https://roomimg.stream" PAYLOAD FILES yt_api_dlp/extractor/ard.py INDICATORS (IOCs) - ipv4: 4.3.2.4, 4.3.2.2, 4.3.3.2, 4.3.3.5, 4.3.2.5 (+7 more) - ipv6: 2::, 5:: - urls: https://www.pycryptodome.org/en/latest/src/vs_pycrypto.html#:~:text=not%20have%20ECB%20as%20default%20mode, https://httpie.io/docs/cli/sessions, http://{proxy, http://git.videolan.org/?p=ffmpeg.git;a=commit;h=b4eb1f29ebddd60c41a2eb39f5af701e38e0d3fd, https://trac.ffmpeg.org/ticket/2702 (+29 more) - domains: www.pycryptodome.org, aria2.github.io, httpie.io, git.videolan.org, trac.ffmpeg.org (+25 more) - emails: nowhere@yt-dlp.github.io.invalid, admin@altcensored.com, guest@inmobly.com, ytdl@yt-dl.org, joe@blazestreaming.com (+15 more) - sha256Hashes: 3AF0298C219469522A313570E8583005A642E73EDD58E3EA2FB7339D3DF1597E, 1a1e49da8b07fd908384a982b4ba9ff0268c509a474576ebdf7b1392f4acae3b, 84614af88e446612f49ca966cf8f80eab2c73376bedd80555741c521c26f9a3e, 795cd9c089a1fc48094524a5eba85a3fca1331817c802f601735907c8bbb4f50, 64dec00a6989ba83d087621465b5e5d38bdac22033b0613b659c442c78976fa0 (+29 more) - payloadFileHash: 2e2375d2acb8d44ff6e4387a198ad0407ba8836f21ca99851e3170d1320fce01

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownyt-api-dlpall (affected)

References

advisory
vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›