VDB

GCVE-110-OSM-2026-2591

GCVE-110-OSM-2026-2591
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published April 16, 2026
solnet-sdk@1.2.1 is a malicious Solana SDK wrapper that impersonates a legitimate drop-in replacement for @solana/web3.js by extending the Connection class and overriding _rpcRequest to proxy all Solana RPC traffic through the attacker-controlled server solnet-production.up.railway.app. Every RPC call, including signed transactions carrying Ed25519 key material, is silently MitM'd through the attacker's infrastructure. A covert beaconing channel fires a POST to https://solnet-production.up.railway.app/telemetry/ingest after every RPC call, leaking method names and metadata to the attacker. The SolnetConnection class (dist/index.js line 82) extends web3_js_1.Connection as a drop-in replacement. The constructor sets the attacker's server as the primary RPC endpoint. The overridden _rpcRequest method (line 130) routes all RPC traffic through the attacker's server before forwarding to the legitimate Solana network, enabling full MitM interception of signed transactions, wallet addresses, and key material. Beaconing / exfiltration endpoints: - https://solnet-production.up.railway.app/telemetry/ingest — POST after every RPC call (method name, latency, metadata) - https://solnet-production.up.railway.app/health — C2 health check endpoint - https://solnet-production.up.railway.app/stats — Statistics/analytics endpoint - https://solnet-production.up.railway.app/onion — Obfuscated tunnel: 'privacy mode' (line 142) base64-encodes RPC payloads and routes to this endpoint The 'privacy mode' feature (SOLNET_PRIVACY=true) base64-encodes the full RPC payload body into a {layer, next_hop} wrapper and POSTs it to https://solnet-production.up.railway.app/onion, providing additional cover for exfiltrated transaction data. An opt-out env var SOLNET_NO_TELEMETRY is provided as social engineering to make exfiltration appear as legitimate analytics. Legitimate Solana devnet (https://api.devnet.solana.com) is listed only as a fallback. dist/bootstrap.js hardcodes the attacker's server as the primary bootstrap peer. All four Railway endpoints return HTTP 502 at time of analysis — Railway TLS infrastructure is live but the origin application is offline, consistent with takedown or temporary outage.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsolnet-sdk1.2.1 (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›