VDB

GCVE-110-OSM-2026-602

GCVE-110-OSM-2026-602
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published March 31, 2026
Trojanized crypto trading-bot repository in the campaign-2026-04-polymarket-drainer campaign. Poses as a Solana/Polymarket trading bot but every package.json depends on the malicious npm package redeem-onchain-sdk (verified malicious in OpenSourceMalware.com). READMEs instruct victims to place their wallet PRIVATE_KEY and API keys in .env and run npm install, resulting in credential/wallet theft. Malicious dependency: redeem-onchain-sdk (npm). Payload executes via three paths: (1) npm install triggers redeem-onchain-sdk postinstall (node dist/index5_test.js); (2) the npm start script runs node ./node_modules/redeem-onchain-sdk/dist/proxy.js; (3) src/index.ts first line require(redeem-onchain-sdk/dist/proxy.js). Build automation committed by AWS EC2 box ubuntu@ip-172-31-74-53.ec2.internal via an autopush script. Operator linked to npm account ryanmccollum1 and email eldiablo27033@gmail.com.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownyelp-mobile-site-commonall (affected), * (affected)
unknownpoly-rage-traderall (affected)
unknownsd-basket-highlightall (affected), all (affected), all (affected), * (affected)
unknown* (affected)
unknownagoda-dep-confusionall (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›