VDB
GCVE-110-OSM-2026-6513
GCVE-110-OSM-2026-6513
Advisory PublishedCVSS 5.4/10
The publisher 'rohmat2527' is a 3-day-old burner account that has published 10 packages, 8 of which have random-looking or typosquatting names targeting popular Web3/crypto libraries: 'rainbokit' and 'rainbownkit' (typosquats of 'rainbowkit'), 'thirdweb', 'thirdwebjs', 'thirdwebb', 'thirdwb', 'thurdweb', 'thidweb' (all typosquats of 'thirdweb'), alongside 'ts-escro' and 'log-taker'. The package itself claims to be big.js (a legitimate arbitrary-precision math library) with the real author's name and GitHub repo, but is published under a completely unrelated name 'rainbokit' — a classic payload-concealment tactic where the code body appears benign while the package name and publisher are the threat vector. The entrypoint code looks like a clean copy of big.js v7.0.1, suggesting the attacker may be using a legitimate payload stub in this version while the malicious payload is in a sibling package or a future update. The pattern of 10 rapidly published typosquat packages from a brand-new account targeting crypto/Web3 tooling is a strong indicator of an ongoing typosquatting campaign.
ENTRY
big.mjs (main: big.mjs)
ADDITIONAL FINDINGS
- Very New NPM Publisher Account
- Publisher Shows Burner-Account Pattern
INDICATORS (IOCs)
- urls: http://mikemcl.github.io/big.js/, https://deno.land/, https://opencollective.com/bigjs, https://www.coinbase.com/
- domains: mikemcl.github.io, www.coinbase.com, deno.land
- emails: start@yc.length, adding@yc.length
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
5.4/10
Medium · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | rainbokit | 0.0.8 (affected) | — |
Browse GCVE Records
73,196 records in the GCVE database · Updated July 17, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.