VDB

GCVE-110-OSM-2026-4295

GCVE-110-OSM-2026-4295
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 19, 2026
Beacons to an attacker-controlled Cloudflare Worker at `icy-cell-fb53.gh0stfqce25.workers.dev` at both install time via a postinstall hook and at require() time via a top-level IIFE, transmitting the package name and Node.js version as a dependency confusion probe against Coinbase's internal Smart Contract Wallet npm namespace. The package.json description contains fabricated deniability language referencing security@coinbase.com to evade removal. The publisher npm username (gh0stfqce) is encoded directly in the C2 subdomain. Part of a 3-package cluster with base-account-core and cb-wallet-solana-provider using the same infrastructure. **Trigger** (`postinstall`): executes `node postinstall.js` at install time. **Beacon (install-time)**: `postinstall.js` lines 5-10 issue an HTTP GET to `https://icy-cell-fb53.gh0stfqce25.workers.dev/poc` with query parameters encoding the package name and Node.js version. **Trigger (require-time)**: `index.js` top-level IIFE at lines 3-5 issues a second HTTP GET to the same C2 base URL with h=runtime context. **C2 response**: Worker returns 'ok'; no second-stage payload or credential collection confirmed.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownscw-mobile0.0.1 (affected)

References

vendor

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›