VDB
GCVE-110-OSM-2026-3430
GCVE-110-OSM-2026-3430
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, network activity.
Payload: optional-skills/blockchain/solana/scripts/solana_client.py
Secondary files: agent/anthropic_adapter.py, bwm_cli/web_server.py
Key findings:
- Sensitive File Access in agent/file_safety.py: ""/etc/passwd""
- Chai-Max Wallet Theft Indicators in optional-skills/blockchain/solana/scripts/solana_client.py: "solana_client.py wallet"
- Environment Variable Exfiltration in optional-skills/health/fitness-nutrition/scripts/nutrition_search.py: "os.environ.get("USDA_API_KEY", "DEMO_KEY")
BASE = "https://api.nal.usda.gov/fdc..."
- Remote Code Execution in skills/red-teaming/godmode/scripts/auto_jailbreak.py: "exec(open(os.path.expanduser(
os.path.join(os.environ.get("
- Remote Code Execution in skills/red-teaming/godmode/scripts/godmode_race.py: "exec(open(os.path.join(os.environ.get("
IOCs:
- ipv4: 100.77.243.5, 100.64.0.0, 149.154.160.0, 149.154.167.220, 192.0.2.1 (+3 more)
- ipv6: 1::, c10d::, 2401:db00:eef0:1100:3560:0:1c05:25d, a::, fd00:ec2::
- urls: https://bookwormpro.local/docs/, https://bookwormpro.local, https://openrouter.ai, https://build.nvidia.com, https://platform.xiaomimimo.com (+45 more)
- domains: platform.xiaomimimo.com, www.minimax.io, huggingface.co, agentskills.io, astral.sh (+39 more)
- emails: application@q.qq.com, tier@openrouter.ai, 15551234567@s.whatsapp.net, 60123456789@s.whatsapp.net, 47@s.whatsapp.net (+15 more)
- ethereumAddresses: 0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045, 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913, 0x4200000000000000000000000000000000000006, 0x833589fcd6edb6e08f4c7c32d4f71b54bda02913, 0x2ae3f1ec7f1f5012cfeab0185bfc7aa3cf0dec22 (+8 more)
- tunnelServices: https://random-words.trycloudflare.com
- payloadFileHash: 5c8768ea48675e149be70ab1b78d53d8e5ac564337cc377094f33ae57f318f5c
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | bookwormpro | * (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.