VDB

GCVE-110-OSM-2026-6706

GCVE-110-OSM-2026-6706
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 26, 2026
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, obfuscated code. ENTRY dist/index.cjs (main: ./dist/index.cjs) PERSISTENCE - Startup Persistence in dist/shai-hulud.js: ".bashrc" DESTINATION - custom-c2: 115.135.196.34 (primary, plaintext) in dist/shai-hulud.js - ethereumAddresses: 0x1234567890123456789012345678901234567890 (exfil, plaintext) - ethereumAddresses: 0xABCDEFabcdef0123456789ABCDEFabcdef012345 (exfil, plaintext) - ethereumAddresses: 0xe5E91D9b21C3563011cc332B050150fb9211bBEB (exfil, plaintext) - ethereumAddresses: 0xDF8b5F9c19E187f1Ea00730a1e46180152244315 (exfil, plaintext) - ethereumAddresses: 0x0000000000000000000000000000000000000000 (exfil, plaintext) - ethereumAddresses: 0xabcdefabcdefabcdefabcdefabcdefabcdefabcd (exfil, plaintext) - ethereumAddresses: 0xabcdef1234567890abcdef1234567890abcdef12 (exfil, plaintext) EXFIL - Sensitive File Access in dist/shai-hulud.js: "'/.aws/credentials'" - Data Encoding for Exfiltration in dist/chunk-AK3REMFI.cjs: "Buffer.from(c).toString("base64")" - Data Encoding for Exfiltration in dist/chunk-GA7EPR4Z.js: "Buffer.from(c).toString("base64")" - Data Encoding for Exfiltration in dist/chunk-S77GSXV7.cjs: "encodeURIComponent(s),i=new URLSearchParams;r.chain&&i.append("chain",r.chain);l..." - Data Encoding for Exfiltration in dist/chunk-SELBUWOU.js: "encodeURIComponent(s),i=new URLSearchParams;r.chain&&i.append("chain",r.chain);l..." - Dynamic C2 Endpoint Construction in dist/chunk-XQ4G3OAY.cjs: "function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de..." - System Information Exfiltration in dist/shai-hulud.js: "JSON.stringify({ id: data.hostname + '-' + Date.now(), source: 'crossmint-wallet..." - Data Encoding for Exfiltration in dist/shai-hulud.js: "Buffer.from(payload).toString('base64')" (+2 more) OBFUSCATION - Dynamic Base64 Decoding in dist/chunk-AK3REMFI.cjs: "Buffer.from(e,"base64")" - Dynamic Base64 Decoding in dist/chunk-GA7EPR4Z.js: "Buffer.from(e,"base64")" - Strings Extracted from Deobfuscated Code in dist/chunk-AK3REMFI.cjs - Strings Extracted from Deobfuscated Code in dist/chunk-GA7EPR4Z.js ADDITIONAL FINDINGS - Chai-Max Wallet Theft Indicators in dist/api/gen/types.gen.d.cts: "Solana custodial wallet" - Suspicious TLD Domain in dist/chains/definitions/storyTestnet.d.cts: "https://testnet.storyscan.xyz" - Shell Command Execution in dist/shai-hulud.js: "require('child_process')" - Platform Detection with Data Collection in dist/shai-hulud.js: "JSON.stringify({ id: data.hostname + '-' + Date.now(), source: 'cros" - Brand New Package - Rapid Version Publishing PAYLOAD FILES dist/shai-hulud.js INDICATORS (IOCs) - urls: https://docs.crossmint.com, https://docs.crossmint.com/introduction/platform/api-keys, https://docs.crossmint.com/wallets/guides/signers/device-signer-server-wallet, https://docs.crossmint.com/sdk-reference/wallets, https://staging.crossmint.com/api (+15 more) - domains: docs.crossmint.com, wallets.transfer.in, staging.crossmint.com, www.crossmint.com, testnet.arcscan.app (+10 more) - payloadFileHash: 30e43d4149171f592fac98199c6f45874ec9c2a750c0776b480e7b77fc0e04ca

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknown@epsteinlovekids483/crossmint-wallets-sdk-pentest1.0.9-pentest (affected)

Browse GCVE Records

73,734 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›