VDB

GCVE-110-OSM-2026-5913

GCVE-110-OSM-2026-5913
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a crypto-drainer masquerading as a Jito bundle tip utility. The entrypoint `dist/index.js` reads `PRIVATE_KEY` from the environment, decodes the victim's Solana private key, fetches the full SOL balance, and transfers nearly all of it (balance minus a 0.005 SOL fee estimate) to a hardcoded attacker-controlled wallet `7FEbGaaF5FkSzN7gAnuue1bixQefqP3ucmxWxm3DUAgE`. The dependency `@solana/web3.js` is flagged as known-malicious by OSM, and the publisher `touchkey0111` has a prior confirmed-malicious package (`jito-bundle-solana`) and operates a cluster of similarly-named Jito-themed packages — a clear supply-chain typosquatting campaign targeting Solana developers. The attacker model is credential/asset theft: developers who set `PRIVATE_KEY` in their `.env` and call this utility will have their entire SOL wallet drained to the attacker's address. ENTRY dist/index.js (main: dist/index.js) ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages - Malicious Dependency Detected in package.json INDICATORS (IOCs) - urls: https://devnet.helius-rpc.com/?api-key=cc2aa914-1479-46c9-b4bb-b46c1289748a

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownjito-bundle-tip-7all (affected)

References

vendor

Browse GCVE Records

73,866 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›