VDB

GCVE-110-OSM-2026-5915

GCVE-110-OSM-2026-5915
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This is a trojanized copy of the legitimate Aztec Network barretenberg/bb.js library, published by a low-reputation account under the misleading scope @pumpsol. The most critical indicator is the substitution of the legitimate Aztec CRS endpoint with the attacker-controlled domain `crs.coinless.online` — the real library uses Aztec-owned infrastructure, not a domain with 'coinless' branding. The package also declares a known-malicious dependency (`eslint-config-prettier` flagged on OSM), published three versions in under two hours, and the publisher's only other package is `pumpdotfun-sdk-v3.0`, consistent with a threat actor targeting Solana/ZK developer toolchains. The 50+ bitcoin address IOCs are likely false positives from elliptic curve scalar data in the WASM binary, but the C2 domain substitution and malicious transitive dependency constitute a coherent supply chain attack targeting Noir/Aztec ZK developers. ENTRY dest/browser/async_map/index.js (default-index: index.js) DESTINATION - custom-c2: https://crs.coinless.online/g1.dat (primary, plaintext) in dest/browser/crs/net_crs.js - custom-c2: https://crs.coinless.online/g2.dat (plaintext) in dest/browser/crs/net_crs.js - custom-c2: https://crs.coinless.online/grumpkin_g1.dat (plaintext) in dest/browser/crs/net_crs.js - bitcoinAddresses: 1ZT8X2tCqPXKqQjD7kyNiLSSaCg9LvAKk (exfil, plaintext) - bitcoinAddresses: 1mAfe7mmJoc9YaidR3w9vHefxbgVwH (exfil, plaintext) - bitcoinAddresses: 3r9y1ph4YVtvAChupFf4y5XQJ7nruVdunX (exfil, plaintext) - bitcoinAddresses: 1a2X374rAGVodrqiDyJFx3si1Z6j (exfil, plaintext) - bitcoinAddresses: 3Sd3zh9y585zdxvqcy5nv6g3Pv (exfil, plaintext) (+45 more) EXFIL - Environment Variable Exfiltration in dest/browser/cbind/generate.js: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..." - Environment Variable Exfiltration in dest/node/cbind/generate.js: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..." - Environment Variable Exfiltration in dest/node-cjs/cbind/generate.js: "process.env.BB_BINARY_PATH || (0, path_1.join)(__dirname, '../../../cpp/build/bi..." - Environment Variable Exfiltration in src/cbind/generate.ts: "process.env.BB_BINARY_PATH || join(__dirname, '../../../cpp/build/bin/bb'); // G..." - System Information Exfiltration in dest/browser/cbind/generate.js: "__dirname = dirname(fileURLToPath(import.meta.url)); async function generate() {..." - System Information Exfiltration in dest/node/barretenberg_wasm/fetch_code/node/index.js: "__dirname; } else { // eslint-disable-next-line @typescript-eslint/ban-ts-commen..." - System Information Exfiltration in dest/node/cbind/generate.js: "__dirname = dirname(fileURLToPath(import.meta.url)); async function generate() {..." - System Information Exfiltration in dest/node-cjs/barretenberg_wasm/fetch_code/node/index.js: "__dirname; } else { // eslint-disable-next-line @typescript-eslint/ban-ts-commen..." (+7 more) OBFUSCATION - Dynamic Base64 Decoding in dest/browser/barretenberg/backend.js: "atob(input)" - Dynamic Base64 Decoding in dest/node/barretenberg/backend.js: "atob(input)" - Dynamic Base64 Decoding in dest/node-cjs/barretenberg/backend.js: "atob(input)" - Dynamic Base64 Decoding in src/barretenberg/backend.ts: "atob(input)" - Strings Extracted from Deobfuscated Code in dest/browser/barretenberg/backend.js - Strings Extracted from Deobfuscated Code in dest/node/barretenberg/backend.js - Strings Extracted from Deobfuscated Code in dest/node-cjs/barretenberg/backend.js ADDITIONAL FINDINGS - Shell Command Execution in dest/node-cjs/cbind/generate.js: "require("child_process")" - Rapid Version Publishing - Malicious Dependency Detected in dest/node-cjs/package.json PAYLOAD FILES dest/node-cjs/cbind/generate.js (+ dest/browser/cbind/generate.js, dest/node/cbind/generate.js) INDICATORS (IOCs) - ipv6: 6::, bb:: - urls: https://goo.gl/fbAQLP - domains: goo.gl, KW.aC, 2.Gp, exports.Fr - payloadFileHash: 50d250a7c2fc35b93a1a552ecccb20deb450ffe5f992383bbf668682d4761f1a

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@pumpsol/bball (affected)

References

vendor

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›