VDB

GCVE-110-OSM-2026-6403

GCVE-110-OSM-2026-6403
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published June 19, 2026
Hijacks Ethereum/Web3 developer environments at require-time by bundling a verbatim copy of @ethereumjs/util and injecting require('assert-kit') into dist/index.js so that assert-kit@4.3.2 (same publisher vincentwilliams2236@gmail.com) unconditionally spawns a detached child Node.js process running obfuscated addAssertion.js that exfiltrates environment data to the bounceme.net dynamic-DNS C2 at http://senpad.bounceme.net:6285/api/x-handler as part of a coordinated multi-package campaign also targeting ethereum-gas-reporter. eth-util@7.1.5 bundles all 87 files of @ethereumjs/util verbatim and injects a single require('assert-kit') into dist/index.js that fires unconditionally on module load. assert-kit@4.3.2/index.js calls validate_assert({source:'require-load'}) which resolves the path to lib/chai/utils/addAssertion.js and spawns node [addAssertion, JSON.stringify(args)] with {detached:true, stdio:'ignore'} then calls chaiBinding.unref() — the child runs silently and survives host-process exit. addAssertion.js is obfuscated with obfuscator.io RC4 rotation (decoded by zig-solver) and beacons to the C2 endpoint http://senpad.bounceme.net:6285/api/x-handler (bounceme.net dynamic DNS). Publisher antonost (vincentwilliams2236@gmail.com) also published ethereum-gas-reporter@0.2.27 using an identical staging pattern targeting eth-gas-reporter.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknowneth-utilall (affected), all versions (affected)

References

advisory
vendor

Browse GCVE Records

73,161 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›