VDB
GCVE-110-OSM-2026-6007
GCVE-110-OSM-2026-6007
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code.
ENTRY
lib/index.cjs.js (main: lib/index.cjs.js)
PERSISTENCE
- Cron Job Persistence in lib/index.cjs.js: "crontab -"
- Cron Job Persistence in lib/index.esm.js: "crontab -"
DESTINATION
- telegram-bot: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY (primary, plaintext) in lib/index.cjs.js
- custom-c2: https://bargsten.org/jsts/enums/ (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.solana.com/implemented-proposals/ed_overview (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html (plaintext) in lib/index.browser.cjs.js
- custom-c2: https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of (plaintext) in lib/index.browser.cjs.js
- custom-c2: http://api.devnet.solana.com (plaintext) in lib/index.browser.cjs.js
- custom-c2: http://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js
(+53 more)
EXFIL
- Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match"
- Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.browser.esm.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.cjs.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.esm.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.iife.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in lib/index.native.js: "Buffer.from(wireTransaction).toString('base64')"
- Data Encoding for Exfiltration in src/connection.ts: "Buffer.from(wireTransaction).toString('base64')"
(+4 more)
OBFUSCATION
- Obfuscation: function to array replacements in lib/index.iife.js
- String Array Obfuscation in lib/index.iife.js: "[ '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58..."
- Obfuscation patterns: charCodeChain in lib/index.iife.js
ADDITIONAL FINDINGS
- Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..."
- Dynamic Code Execution in lib/index.cjs.js: "exec( str )"
- Shell Command Execution in lib/index.cjs.js: "require('child_process')"
- XOR-Encoded String Arrays in lib/index.iife.js: "var groupSizes = [ 0, 0, 25, 16, 12, 11, 10, 9, 8, 8, 7, 7, 7, 7, 6, 6, 6, 6, 6,..."
PAYLOAD FILES
lib/index.cjs.js (+ lib/index.esm.js, lib/index.iife.js)
INDICATORS (IOCs)
- urls: https://api.mainnet-beta.solana.com, https://bargsten.org/jsts/enums/\nexport, https://api.testnet.solana.com\, https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html\n, https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of\n (+14 more)
- domains: api.mainnet-beta.solana.com, solana.com, keybase.io, ristretto.group, datatracker.ietf.org (+3 more)
- emails: dead_horse@qq.com, maintainers@solanalabs.com
- sha256Hashes: 0100000000000000000000000000000000000000000000000000000000000000, c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 0000000000000000000000000000000000000000000000000000000000000080, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05, ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f (+3 more)
- payloadFileHash: f5d62c50dac9bc82c50b7b5a3b230009127f1f4b04d766db109fcb7a80b86262
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | solana-js-client | all (affected) | — |
Aliases
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.