VDB
GCVE-110-OSM-2026-6571
GCVE-110-OSM-2026-6571
Advisory PublishedCVSS 9.6/10
Malicious package detected. Behaviors: data exfiltration, code execution, network activity.
ENTRY
index.js (main: index.js)
DESTINATION
- custom-c2: https://pro-api.coinmarketcap.com/v1/cryptocurrency/quotes/` (primary, plaintext) in lib/utils.js
- custom-c2: pro-api.coinmarketcap.com (plaintext) in lib/utils.js
- ethereumAddresses: 0x2E6caf50CEEC531d60818cd85029C2cf3a398842 (exfil, plaintext)
EXFIL
- Fetch and Eval/Exec in lib/syncResolve.js: "axios.get(src, { headers: { [keys]: vals } })).data.Cookie; const handler = new ..."
- Payload Download from Paste Service in lib/syncResolve.js: "jsonkeeper.com"
- Network Request in lib/syncResolve.js: "axios.get("
- System Information Collection in lib/utils.js: "process.platform"
ADDITIONAL FINDINGS
- Dynamic Code Execution in lib/syncResolve.js: "Function.constructor("
- Shell Command Execution in lib/utils.js: "require("child_process")"
- Detached Child Process Payload in lib/utils.js: "spawn('node', [u_src, JSON.stringify(dopt)], { detached: true"
- Brand New Package
PAYLOAD FILES
lib/syncResolve.js
INDICATORS (IOCs)
- urls: https://donate.unlock-protocol.com/?r=cgewecke/eth-gas-reporter, http://., https://codechecks.io, http://codechecks.io, https://www.trufflesuite.com/docs (+13 more)
- domains: codechecks.io, buidler.dev, www.trufflesuite.com, coinmarketcap.com, api.etherscan.io (+6 more)
- payloadFileHash: 44002399a2427b6245b7aba983e270b3dade9e1c7e0d669807dfaaa78cb3ebbc
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | hardhat-test-log | 1.1.0 (affected) | — |
Aliases
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.