VDB
GCVE-110-OSM-2026-4295
GCVE-110-OSM-2026-4295
Advisory PublishedCVSS 8.8/10
Beacons to an attacker-controlled Cloudflare Worker at `icy-cell-fb53.gh0stfqce25.workers.dev` at both install time via a postinstall hook and at require() time via a top-level IIFE, transmitting the package name and Node.js version as a dependency confusion probe against Coinbase's internal Smart Contract Wallet npm namespace. The package.json description contains fabricated deniability language referencing security@coinbase.com to evade removal. The publisher npm username (gh0stfqce) is encoded directly in the C2 subdomain. Part of a 3-package cluster with base-account-core and cb-wallet-solana-provider using the same infrastructure.
**Trigger** (`postinstall`): executes `node postinstall.js` at install time.
**Beacon (install-time)**: `postinstall.js` lines 5-10 issue an HTTP GET to `https://icy-cell-fb53.gh0stfqce25.workers.dev/poc` with query parameters encoding the package name and Node.js version.
**Trigger (require-time)**: `index.js` top-level IIFE at lines 3-5 issues a second HTTP GET to the same C2 base URL with h=runtime context.
**C2 response**: Worker returns 'ok'; no second-stage payload or credential collection confirmed.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | scw-mobile | 0.0.1 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.