VDB
GCVE-110-OSM-2026-4297
GCVE-110-OSM-2026-4297
Advisory PublishedCVSS 8.8/10
Beacons to attacker-controlled Cloudflare Worker infrastructure at install time and on require(), transmitting package name and Node.js version to https://icy-cell-fb53.gh0stfqce25.workers.dev/poc. The package impersonates Coinbase Wallet's internal Solana Provider namespace as a dependency confusion probe, with a fabricated 'security-research placeholder' description used as deniability cover. Part of a 3-package cluster sharing the same C2 infrastructure under publisher thawk33@hotmail.com (npm: gh0stfqce).
**Trigger** (`postinstall`): executes `node postinstall.js` at install time, firing a GET beacon to `icy-cell-fb53.gh0stfqce25.workers.dev` with the package name and Node.js version as query parameters.
**Second trigger** (require-time IIFE): top-level IIFE in `index.js` fires a second GET beacon to the same endpoint whenever the package is required, sending the package name.
**Data collected**: package name from package.json and `process.version`; no credentials, environment variables, or filesystem reads.
**Infrastructure**: Cloudflare Worker subdomain `gh0stfqce25` matches publisher npm username `gh0stfqce`, confirming attacker-controlled beacon infrastructure shared across sibling packages `scw-mobile` and `base-account-core`.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cb-wallet-solana-provider | 0.0.1 (affected) | — |
Browse GCVE Records
73,442 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.