VDB

GCVE-110-OSM-2026-4238

GCVE-110-OSM-2026-4238
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 12, 2026
Malicious npm package that hijacks cryptocurrency transactions by replacing recipient Ethereum addresses with attacker's wallet address. Contains sophisticated address replacement malware disguised as legitimate Orbiter Finance bridge SDK functionality. The attack uses a 'HIDDENGEM INJECT v3.0' payload that wraps key functions to intercept and redirect all cryptocurrency transfers. Malicious payload found in: dist/index.js (lines 6-32) Contains 'HIDDENGEM INJECT v3.0' - Recipient Redirect attack. Attack mechanism: - Hijacks module.exports and createTransaction functions via IIFE wrapper - Scans all function arguments for Ethereum addresses (42-character hex strings starting with 0x) - Replaces any detected addresses with attacker's wallet: 0x8A4B7567CE16778c51e34dA3C6Ec2877197a8C43 - Affects all cryptocurrency transfers through the package Code signature: var W="0x8A4B7567CE16778c51e34dA3C6Ec2877197a8C43" Attacker preserves legitimate API endpoints to orbiter.finance but redirects transaction recipients.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownorbiter-bridge-sdk-new0.1.15 (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›