VDB

GCVE-110-OSM-2026-5761

GCVE-110-OSM-2026-5761
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 11, 2026
This package exhibits the chai-max wallet theft attack model: it reads the victim's Solana keypair from disk (via `loadKeypair` resolving `~/.config/solana/id.json`), collects system info, and the CLI entrypoint (`bin/noesis.js` → `cli/noesis.ts`) spawns a detached background process with `stdio: 'ignore'` and `detached: true` that survives parent exit — a textbook staged-payload-launch pattern used to persist malicious activity after install. The `chai-max-wallet-theft` rule directly matched `SOLANA_KEYPAIR ?? wallet` in `cli/noesis.ts`, consistent with the known DPRK-linked chai-max stealer family that targets Solana developers via fake 'miner' or 'agent' tooling. The dependency `@solana/web3.js` is flagged as a malicious (compromised) version, further confirming the supply-chain attack vector. Metadata corroborates: brand-new single-package publisher, no source repository, 5.6 version releases per day over two days (iterative evasion), and the Contagious Interview attacker model of impersonating legitimate Solana developer tooling to steal keypairs. Entrypoint: bin/noesis.js (bin: bin/noesis.js) Exfil: https://api.devnet.solana.com (custom-c2, recovery: plaintext in sdk/noesis-miner.ts) Payload: cli/noesis.ts Secondary files: scripts/agent-race-worker.ts Key findings: - Chai-Max Wallet Theft Indicators in cli/noesis.ts: "SOLANA_KEYPAIR ?? wallet" - Environment Variable Exfiltration in scripts/agent-race-worker.ts: "process.env.SOLANA_URL ?? DEFAULT_RPC_URL, { commitment: "confirmed", fetch:..." - Shell Command Execution in cli/noesis.ts: "spawnSync(" - Silent Process Execution in cli/noesis.ts: "stdio: "ignore"" - Detached Child Process Payload in cli/noesis.ts: "spawn(process.execPath, [binPath(), ...args], { cwd: packageRoot(), deta..." IOCs: - urls: https://api.devnet.solana.com - domains: api.devnet.solana.com - sha256Hashes: 0707070707070707070707070707070707070707070707070707070707070707, 0000000000000000000000000000000000000000000000000000000000000000 - payloadFileHash: b72a7c52cfb3d7d551fe484213c25da8babdeb70d773adbd5e612c93694fb3ee

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownnoesis-minerall (affected)

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›