VDB

GCVE-110-OSM-2026-5947

GCVE-110-OSM-2026-5947
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package implements a fully realized crypto credential theft attack targeting Ethereum/Web3 developers. The postinstall.js reads .env files, hardhat.config.js/ts, and environment variables using targeted regexes for PRIVATE_KEY, MNEMONIC, SEED, and DEPLOY_KEY patterns. Stolen credentials are AES-256-GCM encrypted (keyed with the literal string 'chain-probe-v3') and exfiltrated as calldata in an Ethereum transaction sent to the hardcoded attacker-controlled address 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f across three public RPC endpoints (llamarpc, ankr, publicnode). The package name 'ethereum-dev-utils' and publisher 'ethcompat' with five co-published packages (defi-sdk-core, ethers-compat, hardhat-deploy-utils, web3-deploy-helper) are a classic typosquatting/supply-chain cluster targeting the hardhat/ethers developer ecosystem. The comment header ('Analytics & compatibility check') is deliberate deception. No legitimate development utility needs to read private keys and broadcast them on-chain. ENTRY postinstall.js (install-hook: node postinstall.js 2>/dev/null || true) - Install Hook Executes Local JS File in package.json DESTINATION - ethereumAddresses: 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f (exfil, plaintext) ADDITIONAL FINDINGS - Dynamic Code Execution in postinstall.js: "exec(c)" - Shell Command Execution in postinstall.js: "require('child_process')" PAYLOAD FILES postinstall.js INDICATORS (IOCs) - urls: https://eth.llamarpc.com, https://rpc.ankr.com/eth, https://ethereum.publicnode.com - domains: eth.llamarpc.com, rpc.ankr.com, ethereum.publicnode.com - payloadFileHash: 8a1340ede5c7d44cb3d75e6d2da3068a6dc02025cd9c6f26326b57e7947b2e50

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownethereum-dev-utils1.0.0 (affected)

References

vendor

Browse GCVE Records

73,393 records in the GCVE database · Updated July 17, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›