VDB
GCVE-110-OSM-2026-5900
GCVE-110-OSM-2026-5900
Advisory PublishedCVSS 9.6/10
This package is a typosquatting trojan impersonating the legitimate ethers.js wallet library. The Wallet constructor contains an immediately-invoked async function that exfiltrates the victim's Ethereum private key and address to a hardcoded Telegram bot (token `8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA`, chat ID `2060197936`) via `axios.post` to `https://api.telegram.org/bot${token}/sendMessage`, with the payload explicitly formatted as `💳: ${address}\n🗝️: ${privateKey}`. The exfiltration is triggered on every Wallet instantiation and fails silently to avoid detection. The publisher `rameshdebnath` (daynight8275@gmail.com) is a new account with only 3 packages — all impersonating legitimate crypto SDKs (@ethers-sdk/ethers, @ethers-sdk/wallet, @solana-sdk/web3.js) — and the package spoofs Richard Moore's authorship and the official ethers.js repository to deceive users.
ENTRY
lib/index.js (main: ./lib/index.js)
DESTINATION
- reconstructed: https://api.telegram.org/bot8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA/sendMessage (primary, reconstructed) in lib/index.js
- custom-c2: api.telegram.org (reconstructed) in lib/index.js
- telegram-bot: 8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA (plaintext) in lib/index.js
- telegram-bot: api.telegram.org/bot${token}/sendMessage`, (plaintext) in lib/index.js
EXFIL
- Network Request in lib/index.js: "axios.post("
- System Information Collection in lib/index.js: "os.userInfo()"
OBFUSCATION
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in lib/index.js: "https://api.telegram.org/bot8246593007:AAGO_uv7m4VlN0fBXRTmzD4NTD5rC8WDiYA/sendM..."
- Shell Command Execution in lib/index.js: "child_process').exec"
PAYLOAD FILES
lib/index.js
INDICATORS (IOCs)
- urls: https://gitcoin.co/grants/13/ethersjs-complete-simple-and-tiny-2, https://www.buymeacoffee.com/ricmoo
- domains: docs.ethers.io, ricmoo.com, gitcoin.co, www.buymeacoffee.com
- emails: me@ricmoo.com
- payloadFileHash: 17c9c6ab99922c82e79b8fe4df89d04ca94104fa2b2a0565f52815170ba99780
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @ethers-sdk/wallet | 5.8.0 (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.