VDB

GCVE-110-OSM-2026-4297

GCVE-110-OSM-2026-4297
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published May 19, 2026
Beacons to attacker-controlled Cloudflare Worker infrastructure at install time and on require(), transmitting package name and Node.js version to https://icy-cell-fb53.gh0stfqce25.workers.dev/poc. The package impersonates Coinbase Wallet's internal Solana Provider namespace as a dependency confusion probe, with a fabricated 'security-research placeholder' description used as deniability cover. Part of a 3-package cluster sharing the same C2 infrastructure under publisher thawk33@hotmail.com (npm: gh0stfqce). **Trigger** (`postinstall`): executes `node postinstall.js` at install time, firing a GET beacon to `icy-cell-fb53.gh0stfqce25.workers.dev` with the package name and Node.js version as query parameters. **Second trigger** (require-time IIFE): top-level IIFE in `index.js` fires a second GET beacon to the same endpoint whenever the package is required, sending the package name. **Data collected**: package name from package.json and `process.version`; no credentials, environment variables, or filesystem reads. **Infrastructure**: Cloudflare Worker subdomain `gh0stfqce25` matches publisher npm username `gh0stfqce`, confirming attacker-controlled beacon infrastructure shared across sibling packages `scw-mobile` and `base-account-core`.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowncb-wallet-solana-provider0.0.1 (affected)

Browse GCVE Records

73,442 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›