VDB
GCVE-110-OSM-2026-5913
GCVE-110-OSM-2026-5913
Advisory PublishedCVSS 9.6/10
This package is a crypto-drainer masquerading as a Jito bundle tip utility. The entrypoint `dist/index.js` reads `PRIVATE_KEY` from the environment, decodes the victim's Solana private key, fetches the full SOL balance, and transfers nearly all of it (balance minus a 0.005 SOL fee estimate) to a hardcoded attacker-controlled wallet `7FEbGaaF5FkSzN7gAnuue1bixQefqP3ucmxWxm3DUAgE`. The dependency `@solana/web3.js` is flagged as known-malicious by OSM, and the publisher `touchkey0111` has a prior confirmed-malicious package (`jito-bundle-solana`) and operates a cluster of similarly-named Jito-themed packages — a clear supply-chain typosquatting campaign targeting Solana developers. The attacker model is credential/asset theft: developers who set `PRIVATE_KEY` in their `.env` and call this utility will have their entire SOL wallet drained to the attacker's address.
ENTRY
dist/index.js (main: dist/index.js)
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
- Malicious Dependency Detected in package.json
INDICATORS (IOCs)
- urls: https://devnet.helius-rpc.com/?api-key=cc2aa914-1479-46c9-b4bb-b46c1289748a
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | jito-bundle-tip-7 | all (affected) | — |
Browse GCVE Records
73,866 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.