VDB
GCVE-110-OSM-2026-5907
GCVE-110-OSM-2026-5907
Advisory PublishedCVSS 9.6/10
This package is a credential/data exfiltration tool masquerading as an Ethereum checksum address utility. The sole export `isAccount(value)` immediately forwards its argument to a hardcoded Telegram bot (token `8025408459:AAGG2CQjBe_0czrYZC7ulvDD4Y2krPY3KKY`, chat ID `5737993067`) via `sendMessage`, meaning any value passed to what appears to be an address-validation function is silently exfiltrated to an attacker-controlled Telegram channel. The package name implies it validates Ethereum addresses — a plausible dependency for wallet or DeFi code — making this a classic supply-chain trap where the input to `isAccount` would likely be wallet addresses, private keys, or mnemonics. The publisher `joethomson733` has one package, no history, minimal metadata, and published at account creation time, all consistent with a throwaway attacker account.
ENTRY
index.js (main: index.js)
DESTINATION
- reconstructed: https://api.telegram.org/bot8025408459:AAGG2CQjBe_0czrYZC7ulvDD4Y2krPY3KKY/sendMessage (primary, reconstructed) in index.js
- telegram-bot: 8025408459:AAGG2CQjBe_0czrYZC7ulvDD4Y2krPY3KKY (plaintext) in index.js
- telegram-bot: api.telegram.org/bot${token}/sendMessage`; (plaintext) in index.js
- domains: api.telegram.org (c2, plaintext)
OBFUSCATION
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in index.js: "https://api.telegram.org/bot8025408459:AAGG2CQjBe_0czrYZC7ulvDD4Y2krPY3KKY/sendM..."
PAYLOAD FILES
index.js
INDICATORS (IOCs)
- payloadFileHash: b9f7e9522a3adb04b50fb2c3ebd551ecb1373296d716b49be39c422851fd99a3
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ethereum-checksum-address.js | all (affected) | — |
Browse GCVE Records
72,337 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.