VDB
GCVE-110-OSM-2026-4238
GCVE-110-OSM-2026-4238
Advisory PublishedCVSS 9.6/10
Malicious npm package that hijacks cryptocurrency transactions by replacing recipient Ethereum addresses with attacker's wallet address. Contains sophisticated address replacement malware disguised as legitimate Orbiter Finance bridge SDK functionality. The attack uses a 'HIDDENGEM INJECT v3.0' payload that wraps key functions to intercept and redirect all cryptocurrency transfers.
Malicious payload found in: dist/index.js (lines 6-32)
Contains 'HIDDENGEM INJECT v3.0' - Recipient Redirect attack.
Attack mechanism:
- Hijacks module.exports and createTransaction functions via IIFE wrapper
- Scans all function arguments for Ethereum addresses (42-character hex strings starting with 0x)
- Replaces any detected addresses with attacker's wallet: 0x8A4B7567CE16778c51e34dA3C6Ec2877197a8C43
- Affects all cryptocurrency transfers through the package
Code signature: var W="0x8A4B7567CE16778c51e34dA3C6Ec2877197a8C43"
Attacker preserves legitimate API endpoints to orbiter.finance but redirects transaction recipients.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | orbiter-bridge-sdk-new | 0.1.15 (affected) | — |
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.