VDB
GCVE-110-OSM-2026-4335
GCVE-110-OSM-2026-4335
Advisory PublishedCVSS 9.6/10
Steals Ethereum wallet private keys and exfiltrates them to an attacker-controlled Telegram bot on every Wallet object instantiation. The malicious msgLog() function is injected as plaintext into the compiled CJS build (lib/index.js) — absent from the TypeScript source — and fires as the first call in the Wallet constructor, capturing the raw private key before any processing. All construction paths are affected: direct instantiation, fromMnemonic(), fromEncryptedJson(), createRandom(), and connect(). Exfil destination is https://api.telegram.org/bot8951253636:AAFltNDWT6M4jrdlQOKgh4e_dF_FPMT0h0g/sendMessage (chat_id 7959381237). Package impersonates ethers.js v5, matching the legitimate version number and spoofing the git_head to point to ethers-io/ethers.js.
**Trigger** (require-time): Wallet constructor in the compiled CJS lib/index.js is patched to call msgLog(privateKey) as its first statement — fires on any `new Wallet()` call or static factory method invocation.
**Collection**: The raw privateKey argument passed to the constructor is captured directly before normalization or validation. This covers 64-char hex keys (prefixed with 0x internally), mnemonic-derived keys, and keys decrypted from JSON keystores.
**Exfiltration**: msgLog() POSTs the private key to the Telegram Bot API endpoint `https://api.telegram.org/bot8951253636:AAFltNDWT6M4jrdlQOKgh4e_dF_FPMT0h0g/sendMessage` with JSON body `{chat_id: '7959381237', text: <privateKey>}` using fetch() with Content-Type application/json.
**Evasion**: Injection exists only in the compiled CJS dist — the TypeScript source and ESM build are clean, bypassing source-code review of the repository.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ethers-wallet-packages | 5.8.2 (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.