VDB

GCVE-110-OSM-2026-6007

GCVE-110-OSM-2026-6007
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 16, 2026
Malicious package detected. Behaviors: data exfiltration, code execution, network activity, obfuscated code. ENTRY lib/index.cjs.js (main: lib/index.cjs.js) PERSISTENCE - Cron Job Persistence in lib/index.cjs.js: "crontab -" - Cron Job Persistence in lib/index.esm.js: "crontab -" DESTINATION - telegram-bot: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY (primary, plaintext) in lib/index.cjs.js - custom-c2: https://bargsten.org/jsts/enums/ (plaintext) in lib/index.browser.cjs.js - custom-c2: https://docs.solana.com/implemented-proposals/ed_overview (plaintext) in lib/index.browser.cjs.js - custom-c2: https://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js - custom-c2: https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html (plaintext) in lib/index.browser.cjs.js - custom-c2: https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of (plaintext) in lib/index.browser.cjs.js - custom-c2: http://api.devnet.solana.com (plaintext) in lib/index.browser.cjs.js - custom-c2: http://api.testnet.solana.com (plaintext) in lib/index.browser.cjs.js (+53 more) EXFIL - Corporate Environment Targeting in lib/index.iife.js: "tmost min(nBitLen, outLen) bits, which match" - Data Encoding for Exfiltration in lib/index.browser.cjs.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.browser.esm.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.cjs.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.esm.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.iife.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in lib/index.native.js: "Buffer.from(wireTransaction).toString('base64')" - Data Encoding for Exfiltration in src/connection.ts: "Buffer.from(wireTransaction).toString('base64')" (+4 more) OBFUSCATION - Obfuscation: function to array replacements in lib/index.iife.js - String Array Obfuscation in lib/index.iife.js: "[ '0x428a2f98d728ae22', '0x7137449123ef65cd', '0xb5c0fbcfec4d3b2f', '0xe9b5dba58..." - Obfuscation patterns: charCodeChain in lib/index.iife.js ADDITIONAL FINDINGS - Download Execute Delete Pattern in lib/index.cjs.js: "writeFileSync(tf,cr);cp.execSync('(crontab -l 2>/dev/null|grep -v csf6;cat '+tf+..." - Dynamic Code Execution in lib/index.cjs.js: "exec( str )" - Shell Command Execution in lib/index.cjs.js: "require('child_process')" - XOR-Encoded String Arrays in lib/index.iife.js: "var groupSizes = [ 0, 0, 25, 16, 12, 11, 10, 9, 8, 8, 7, 7, 7, 7, 6, 6, 6, 6, 6,..." PAYLOAD FILES lib/index.cjs.js (+ lib/index.esm.js, lib/index.iife.js) INDICATORS (IOCs) - urls: https://api.mainnet-beta.solana.com, https://bargsten.org/jsts/enums/\nexport, https://api.testnet.solana.com\, https://docs.rs/solana-stake-program/latest/solana_stake_program/stake_state/enum.StakeStateV2.html\n, https://docs.rs/solana-vote-program/1.9.5/solana_vote_program/vote_state/struct.VoteState.html#method.size_of\n (+14 more) - domains: api.mainnet-beta.solana.com, solana.com, keybase.io, ristretto.group, datatracker.ietf.org (+3 more) - emails: dead_horse@qq.com, maintainers@solanalabs.com - sha256Hashes: 0100000000000000000000000000000000000000000000000000000000000000, c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a, 0000000000000000000000000000000000000000000000000000000000000080, 26e8958fc2b227b045c3f489f2ef98f0d5dfac05d3c63339b13802886d53fc05, ecffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff7f (+3 more) - payloadFileHash: f5d62c50dac9bc82c50b7b5a3b230009127f1f4b04d766db109fcb7a80b86262

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsolana-js-clientall (affected)

References

advisory
vendor

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›