VDB
GCVE-110-OSM-2026-5947
GCVE-110-OSM-2026-5947
Advisory PublishedCVSS 9.6/10
This package implements a fully realized crypto credential theft attack targeting Ethereum/Web3 developers. The postinstall.js reads .env files, hardhat.config.js/ts, and environment variables using targeted regexes for PRIVATE_KEY, MNEMONIC, SEED, and DEPLOY_KEY patterns. Stolen credentials are AES-256-GCM encrypted (keyed with the literal string 'chain-probe-v3') and exfiltrated as calldata in an Ethereum transaction sent to the hardcoded attacker-controlled address 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f across three public RPC endpoints (llamarpc, ankr, publicnode). The package name 'ethereum-dev-utils' and publisher 'ethcompat' with five co-published packages (defi-sdk-core, ethers-compat, hardhat-deploy-utils, web3-deploy-helper) are a classic typosquatting/supply-chain cluster targeting the hardhat/ethers developer ecosystem. The comment header ('Analytics & compatibility check') is deliberate deception. No legitimate development utility needs to read private keys and broadcast them on-chain.
ENTRY
postinstall.js (install-hook: node postinstall.js 2>/dev/null || true)
- Install Hook Executes Local JS File in package.json
DESTINATION
- ethereumAddresses: 0xCBbecC5E5Eb88582e6305cF6ab688f03e02Ce16f (exfil, plaintext)
ADDITIONAL FINDINGS
- Dynamic Code Execution in postinstall.js: "exec(c)"
- Shell Command Execution in postinstall.js: "require('child_process')"
PAYLOAD FILES
postinstall.js
INDICATORS (IOCs)
- urls: https://eth.llamarpc.com, https://rpc.ankr.com/eth, https://ethereum.publicnode.com
- domains: eth.llamarpc.com, rpc.ankr.com, ethereum.publicnode.com
- payloadFileHash: 8a1340ede5c7d44cb3d75e6d2da3068a6dc02025cd9c6f26326b57e7947b2e50
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | ethereum-dev-utils | 1.0.0 (affected) | — |
Browse GCVE Records
73,393 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.