VDB
GCVE-110-OSM-2026-6403
GCVE-110-OSM-2026-6403
Advisory PublishedCVSS 8.8/10
Hijacks Ethereum/Web3 developer environments at require-time by bundling a verbatim copy of @ethereumjs/util and injecting require('assert-kit') into dist/index.js so that assert-kit@4.3.2 (same publisher vincentwilliams2236@gmail.com) unconditionally spawns a detached child Node.js process running obfuscated addAssertion.js that exfiltrates environment data to the bounceme.net dynamic-DNS C2 at http://senpad.bounceme.net:6285/api/x-handler as part of a coordinated multi-package campaign also targeting ethereum-gas-reporter.
eth-util@7.1.5 bundles all 87 files of @ethereumjs/util verbatim and injects a single require('assert-kit') into dist/index.js that fires unconditionally on module load. assert-kit@4.3.2/index.js calls validate_assert({source:'require-load'}) which resolves the path to lib/chai/utils/addAssertion.js and spawns node [addAssertion, JSON.stringify(args)] with {detached:true, stdio:'ignore'} then calls chaiBinding.unref() — the child runs silently and survives host-process exit. addAssertion.js is obfuscated with obfuscator.io RC4 rotation (decoded by zig-solver) and beacons to the C2 endpoint http://senpad.bounceme.net:6285/api/x-handler (bounceme.net dynamic DNS). Publisher antonost (vincentwilliams2236@gmail.com) also published ethereum-gas-reporter@0.2.27 using an identical staging pattern targeting eth-gas-reporter.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | eth-util | all (affected), all versions (affected) | — |
Aliases
Browse GCVE Records
73,161 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.