VDB

GCVE-110-OSM-2026-5900

GCVE-110-OSM-2026-5900
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a typosquatting trojan impersonating the legitimate ethers.js wallet library. The Wallet constructor contains an immediately-invoked async function that exfiltrates the victim's Ethereum private key and address to a hardcoded Telegram bot (token `8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA`, chat ID `2060197936`) via `axios.post` to `https://api.telegram.org/bot${token}/sendMessage`, with the payload explicitly formatted as `💳: ${address}\n🗝️: ${privateKey}`. The exfiltration is triggered on every Wallet instantiation and fails silently to avoid detection. The publisher `rameshdebnath` (daynight8275@gmail.com) is a new account with only 3 packages — all impersonating legitimate crypto SDKs (@ethers-sdk/ethers, @ethers-sdk/wallet, @solana-sdk/web3.js) — and the package spoofs Richard Moore's authorship and the official ethers.js repository to deceive users. ENTRY lib/index.js (main: ./lib/index.js) DESTINATION - reconstructed: https://api.telegram.org/bot8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA/sendMessage (primary, reconstructed) in lib/index.js - custom-c2: api.telegram.org (reconstructed) in lib/index.js - telegram-bot: 8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA (plaintext) in lib/index.js - telegram-bot: api.telegram.org/bot${token}/sendMessage`, (plaintext) in lib/index.js EXFIL - Network Request in lib/index.js: "axios.post(" - System Information Collection in lib/index.js: "os.userInfo()" OBFUSCATION - recovered 1 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in lib/index.js: "https://api.telegram.org/bot8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA/sendM..." - Shell Command Execution in lib/index.js: "child_process').exec" PAYLOAD FILES lib/index.js INDICATORS (IOCs) - urls: https://gitcoin.co/grants/13/ethersjs-complete-simple-and-tiny-2, https://www.buymeacoffee.com/ricmoo - domains: docs.ethers.io, ricmoo.com, gitcoin.co, www.buymeacoffee.com - emails: me@ricmoo.com - payloadFileHash: 17c9c6ab99922c82e79b8fe4df89d04ca94104fa2b2a0565f52815170ba99780

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@ethers-sdk/wallet5.8.0 (affected)

References

vendor

Browse GCVE Records

72,337 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›