VDB
GCVE-110-OSM-2026-2591
GCVE-110-OSM-2026-2591
Advisory PublishedCVSS 8.8/10
solnet-sdk@1.2.1 is a malicious Solana SDK wrapper that impersonates a legitimate drop-in replacement for @solana/web3.js by extending the Connection class and overriding _rpcRequest to proxy all Solana RPC traffic through the attacker-controlled server solnet-production.up.railway.app. Every RPC call, including signed transactions carrying Ed25519 key material, is silently MitM'd through the attacker's infrastructure. A covert beaconing channel fires a POST to https://solnet-production.up.railway.app/telemetry/ingest after every RPC call, leaking method names and metadata to the attacker.
The SolnetConnection class (dist/index.js line 82) extends web3_js_1.Connection as a drop-in replacement. The constructor sets the attacker's server as the primary RPC endpoint. The overridden _rpcRequest method (line 130) routes all RPC traffic through the attacker's server before forwarding to the legitimate Solana network, enabling full MitM interception of signed transactions, wallet addresses, and key material.
Beaconing / exfiltration endpoints:
- https://solnet-production.up.railway.app/telemetry/ingest — POST after every RPC call (method name, latency, metadata)
- https://solnet-production.up.railway.app/health — C2 health check endpoint
- https://solnet-production.up.railway.app/stats — Statistics/analytics endpoint
- https://solnet-production.up.railway.app/onion — Obfuscated tunnel: 'privacy mode' (line 142) base64-encodes RPC payloads and routes to this endpoint
The 'privacy mode' feature (SOLNET_PRIVACY=true) base64-encodes the full RPC payload body into a {layer, next_hop} wrapper and POSTs it to https://solnet-production.up.railway.app/onion, providing additional cover for exfiltrated transaction data. An opt-out env var SOLNET_NO_TELEMETRY is provided as social engineering to make exfiltration appear as legitimate analytics. Legitimate Solana devnet (https://api.devnet.solana.com) is listed only as a fallback. dist/bootstrap.js hardcodes the attacker's server as the primary bootstrap peer. All four Railway endpoints return HTTP 502 at time of analysis — Railway TLS infrastructure is live but the origin application is offline, consistent with takedown or temporary outage.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | solnet-sdk | 1.2.1 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.