VDB

GCVE-110-OSM-2026-4335

GCVE-110-OSM-2026-4335
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published May 17, 2026
Steals Ethereum wallet private keys and exfiltrates them to an attacker-controlled Telegram bot on every Wallet object instantiation. The malicious msgLog() function is injected as plaintext into the compiled CJS build (lib/index.js) — absent from the TypeScript source — and fires as the first call in the Wallet constructor, capturing the raw private key before any processing. All construction paths are affected: direct instantiation, fromMnemonic(), fromEncryptedJson(), createRandom(), and connect(). Exfil destination is https://api.telegram.org/bot8951253636:AAFltNDWT6M4jrdlQOKgh4e_dF_FPMT0h0g/sendMessage (chat_id 7959381237). Package impersonates ethers.js v5, matching the legitimate version number and spoofing the git_head to point to ethers-io/ethers.js. **Trigger** (require-time): Wallet constructor in the compiled CJS lib/index.js is patched to call msgLog(privateKey) as its first statement — fires on any `new Wallet()` call or static factory method invocation. **Collection**: The raw privateKey argument passed to the constructor is captured directly before normalization or validation. This covers 64-char hex keys (prefixed with 0x internally), mnemonic-derived keys, and keys decrypted from JSON keystores. **Exfiltration**: msgLog() POSTs the private key to the Telegram Bot API endpoint `https://api.telegram.org/bot8951253636:AAFltNDWT6M4jrdlQOKgh4e_dF_FPMT0h0g/sendMessage` with JSON body `{chat_id: '7959381237', text: <privateKey>}` using fetch() with Content-Type application/json. **Evasion**: Injection exists only in the compiled CJS dist — the TypeScript source and ESM build are clean, bypassing source-code review of the repository.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownethers-wallet-packages5.8.2 (affected)

Browse GCVE Records

73,196 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›