VDB
GCVE-110-OSM-2026-5761
GCVE-110-OSM-2026-5761
Advisory PublishedCVSS 9.6/10
This package exhibits the chai-max wallet theft attack model: it reads the victim's Solana keypair from disk (via `loadKeypair` resolving `~/.config/solana/id.json`), collects system info, and the CLI entrypoint (`bin/noesis.js` → `cli/noesis.ts`) spawns a detached background process with `stdio: 'ignore'` and `detached: true` that survives parent exit — a textbook staged-payload-launch pattern used to persist malicious activity after install. The `chai-max-wallet-theft` rule directly matched `SOLANA_KEYPAIR ?? wallet` in `cli/noesis.ts`, consistent with the known DPRK-linked chai-max stealer family that targets Solana developers via fake 'miner' or 'agent' tooling. The dependency `@solana/web3.js` is flagged as a malicious (compromised) version, further confirming the supply-chain attack vector. Metadata corroborates: brand-new single-package publisher, no source repository, 5.6 version releases per day over two days (iterative evasion), and the Contagious Interview attacker model of impersonating legitimate Solana developer tooling to steal keypairs.
Entrypoint: bin/noesis.js (bin: bin/noesis.js)
Exfil: https://api.devnet.solana.com (custom-c2, recovery: plaintext in sdk/noesis-miner.ts)
Payload: cli/noesis.ts
Secondary files: scripts/agent-race-worker.ts
Key findings:
- Chai-Max Wallet Theft Indicators in cli/noesis.ts: "SOLANA_KEYPAIR ?? wallet"
- Environment Variable Exfiltration in scripts/agent-race-worker.ts: "process.env.SOLANA_URL ?? DEFAULT_RPC_URL, {
commitment: "confirmed",
fetch:..."
- Shell Command Execution in cli/noesis.ts: "spawnSync("
- Silent Process Execution in cli/noesis.ts: "stdio: "ignore""
- Detached Child Process Payload in cli/noesis.ts: "spawn(process.execPath, [binPath(), ...args], {
cwd: packageRoot(),
deta..."
IOCs:
- urls: https://api.devnet.solana.com
- domains: api.devnet.solana.com
- sha256Hashes: 0707070707070707070707070707070707070707070707070707070707070707, 0000000000000000000000000000000000000000000000000000000000000000
- payloadFileHash: b72a7c52cfb3d7d551fe484213c25da8babdeb70d773adbd5e612c93694fb3ee
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | noesis-miner | all (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.