VDB
GCVE-110-OSM-2026-6706
GCVE-110-OSM-2026-6706
Advisory PublishedCVSS 9.6/10
APT malware detected: chai-max. Associated with threat actor(s): DPRK/Lazarus. Behaviors: data exfiltration, code execution, obfuscated code.
ENTRY
dist/index.cjs (main: ./dist/index.cjs)
PERSISTENCE
- Startup Persistence in dist/shai-hulud.js: ".bashrc"
DESTINATION
- custom-c2: 115.135.196.34 (primary, plaintext) in dist/shai-hulud.js
- ethereumAddresses: 0x1234567890123456789012345678901234567890 (exfil, plaintext)
- ethereumAddresses: 0xABCDEFabcdef0123456789ABCDEFabcdef012345 (exfil, plaintext)
- ethereumAddresses: 0xe5E91D9b21C3563011cc332B050150fb9211bBEB (exfil, plaintext)
- ethereumAddresses: 0xDF8b5F9c19E187f1Ea00730a1e46180152244315 (exfil, plaintext)
- ethereumAddresses: 0x0000000000000000000000000000000000000000 (exfil, plaintext)
- ethereumAddresses: 0xabcdefabcdefabcdefabcdefabcdefabcdefabcd (exfil, plaintext)
- ethereumAddresses: 0xabcdef1234567890abcdef1234567890abcdef12 (exfil, plaintext)
EXFIL
- Sensitive File Access in dist/shai-hulud.js: "'/.aws/credentials'"
- Data Encoding for Exfiltration in dist/chunk-AK3REMFI.cjs: "Buffer.from(c).toString("base64")"
- Data Encoding for Exfiltration in dist/chunk-GA7EPR4Z.js: "Buffer.from(c).toString("base64")"
- Data Encoding for Exfiltration in dist/chunk-S77GSXV7.cjs: "encodeURIComponent(s),i=new URLSearchParams;r.chain&&i.append("chain",r.chain);l..."
- Data Encoding for Exfiltration in dist/chunk-SELBUWOU.js: "encodeURIComponent(s),i=new URLSearchParams;r.chain&&i.append("chain",r.chain);l..."
- Dynamic C2 Endpoint Construction in dist/chunk-XQ4G3OAY.cjs: "function _interopRequireDefault(obj) { return obj && obj.__esModule ? obj : { de..."
- System Information Exfiltration in dist/shai-hulud.js: "JSON.stringify({ id: data.hostname + '-' + Date.now(), source: 'crossmint-wallet..."
- Data Encoding for Exfiltration in dist/shai-hulud.js: "Buffer.from(payload).toString('base64')"
(+2 more)
OBFUSCATION
- Dynamic Base64 Decoding in dist/chunk-AK3REMFI.cjs: "Buffer.from(e,"base64")"
- Dynamic Base64 Decoding in dist/chunk-GA7EPR4Z.js: "Buffer.from(e,"base64")"
- Strings Extracted from Deobfuscated Code in dist/chunk-AK3REMFI.cjs
- Strings Extracted from Deobfuscated Code in dist/chunk-GA7EPR4Z.js
ADDITIONAL FINDINGS
- Chai-Max Wallet Theft Indicators in dist/api/gen/types.gen.d.cts: "Solana custodial wallet"
- Suspicious TLD Domain in dist/chains/definitions/storyTestnet.d.cts: "https://testnet.storyscan.xyz"
- Shell Command Execution in dist/shai-hulud.js: "require('child_process')"
- Platform Detection with Data Collection in dist/shai-hulud.js: "JSON.stringify({ id: data.hostname + '-' + Date.now(), source: 'cros"
- Brand New Package
- Rapid Version Publishing
PAYLOAD FILES
dist/shai-hulud.js
INDICATORS (IOCs)
- urls: https://docs.crossmint.com, https://docs.crossmint.com/introduction/platform/api-keys, https://docs.crossmint.com/wallets/guides/signers/device-signer-server-wallet, https://docs.crossmint.com/sdk-reference/wallets, https://staging.crossmint.com/api (+15 more)
- domains: docs.crossmint.com, wallets.transfer.in, staging.crossmint.com, www.crossmint.com, testnet.arcscan.app (+10 more)
- payloadFileHash: 30e43d4149171f592fac98199c6f45874ec9c2a750c0776b480e7b77fc0e04ca
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | @epsteinlovekids483/crossmint-wallets-sdk-pentest | 1.0.9-pentest (affected) | — |
Aliases
References
Browse GCVE Records
73,734 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.