VDB
GCVE-110-OSM-2026-5915
GCVE-110-OSM-2026-5915
Advisory PublishedCVSS 9.6/10
This is a trojanized copy of the legitimate Aztec Network barretenberg/bb.js library, published by a low-reputation account under the misleading scope @pumpsol. The most critical indicator is the substitution of the legitimate Aztec CRS endpoint with the attacker-controlled domain `crs.coinless.online` — the real library uses Aztec-owned infrastructure, not a domain with 'coinless' branding. The package also declares a known-malicious dependency (`eslint-config-prettier` flagged on OSM), published three versions in under two hours, and the publisher's only other package is `pumpdotfun-sdk-v3.0`, consistent with a threat actor targeting Solana/ZK developer toolchains. The 50+ bitcoin address IOCs are likely false positives from elliptic curve scalar data in the WASM binary, but the C2 domain substitution and malicious transitive dependency constitute a coherent supply chain attack targeting Noir/Aztec ZK developers.
ENTRY
dest/browser/async_map/index.js (default-index: index.js)
DESTINATION
- custom-c2: https://crs.coinless.online/g1.dat (primary, plaintext) in dest/browser/crs/net_crs.js
- custom-c2: https://crs.coinless.online/g2.dat (plaintext) in dest/browser/crs/net_crs.js
- custom-c2: https://crs.coinless.online/grumpkin_g1.dat (plaintext) in dest/browser/crs/net_crs.js
- bitcoinAddresses: 1ZT8X2tCqPXKqQjD7kyNiLSSaCg9LvAKk (exfil, plaintext)
- bitcoinAddresses: 1mAfe7mmJoc9YaidR3w9vHefxbgVwH (exfil, plaintext)
- bitcoinAddresses: 3r9y1ph4YVtvAChupFf4y5XQJ7nruVdunX (exfil, plaintext)
- bitcoinAddresses: 1a2X374rAGVodrqiDyJFx3si1Z6j (exfil, plaintext)
- bitcoinAddresses: 3Sd3zh9y585zdxvqcy5nv6g3Pv (exfil, plaintext)
(+45 more)
EXFIL
- Environment Variable Exfiltration in dest/browser/cbind/generate.js: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..."
- Environment Variable Exfiltration in dest/node/cbind/generate.js: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..."
- Environment Variable Exfiltration in dest/node-cjs/cbind/generate.js: "process.env.BB_BINARY_PATH || (0, path_1.join)(__dirname, '../../../cpp/build/bi..."
- Environment Variable Exfiltration in src/cbind/generate.ts: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..."
- System Information Exfiltration in dest/browser/cbind/generate.js: "__dirname = dirname(fileURLToPath(import.meta.url)); async function generate() {..."
- System Information Exfiltration in dest/node/barretenberg_wasm/fetch_code/node/index.js: "__dirname; } else { // eslint-disable-next-line @typescript-eslint/ban-ts-commen..."
- System Information Exfiltration in dest/node/cbind/generate.js: "__dirname = dirname(fileURLToPath(import.meta.url)); async function generate() {..."
- System Information Exfiltration in dest/node-cjs/barretenberg_wasm/fetch_code/node/index.js: "__dirname; } else { // eslint-disable-next-line @typescript-eslint/ban-ts-commen..."
(+7 more)
OBFUSCATION
- Dynamic Base64 Decoding in dest/browser/barretenberg/backend.js: "atob(input)"
- Dynamic Base64 Decoding in dest/node/barretenberg/backend.js: "atob(input)"
- Dynamic Base64 Decoding in dest/node-cjs/barretenberg/backend.js: "atob(input)"
- Dynamic Base64 Decoding in src/barretenberg/backend.ts: "atob(input)"
- Strings Extracted from Deobfuscated Code in dest/browser/barretenberg/backend.js
- Strings Extracted from Deobfuscated Code in dest/node/barretenberg/backend.js
- Strings Extracted from Deobfuscated Code in dest/node-cjs/barretenberg/backend.js
ADDITIONAL FINDINGS
- Shell Command Execution in dest/node-cjs/cbind/generate.js: "require("child_process")"
- Rapid Version Publishing
- Malicious Dependency Detected in dest/node-cjs/package.json
PAYLOAD FILES
dest/node-cjs/cbind/generate.js (+ dest/browser/cbind/generate.js, dest/node/cbind/generate.js)
INDICATORS (IOCs)
- ipv6: 6::, bb::
- urls: https://goo.gl/fbAQLP
- domains: goo.gl, KW.aC, 2.Gp, exports.Fr
- payloadFileHash: 50d250a7c2fc35b93a1a552ecccb20deb450ffe5f992383bbf668682d4761f1a
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @pumpsol/bb | all (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.