VDB

GCVE-110-OSM-2026-7075

GCVE-110-OSM-2026-7075
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published July 1, 2026
The package's `check_validator` function in `dist/index.js` POSTs user-supplied data base64-encoded to `https://crypto.depayhub.net/solana/validator` — an attacker-controlled C2 endpoint authored under the same `depayhub.net` domain as the package author. The exfiltrated payload includes `content: Buffer.from(e, 'utf-8').toString('base64')` and an `apiKey`, consistent with credential/key exfiltration targeting Solana wallet data. The publisher `stevewilliam` has a 100% malicious ratio across all checked packages (`solana-validator` rated critical, `xrpl-wallet` rated medium), making this a deliberate campaign rather than a mistake. The package also depends on a flagged version of `@solana/web3.js`, compounding the supply-chain risk. The attacker model is clear: masquerade as a Solana RPC utility, intercept API keys and wallet content submitted to the `validate()` function, and exfiltrate them to the attacker's server. ENTRY dist/index.js (main: index.js) DESTINATION - reconstructed: https://crypto.depayhub.net/solana/validator (primary, reconstructed) in dist/index.js - custom-c2: crypto.depayhub.net (reconstructed) in dist/index.js - custom-c2: https://crypto.depayhub.net/solana/validator` (plaintext) in index.js EXFIL - Data Encoding for Exfiltration in dist/index.js: "Buffer.from(e,"utf-8").toString("base64")" - Data Encoding for Exfiltration in index.js: "Buffer.from(str, 'utf-8').toString('base64')" - Network Request in dist/index.js: "fetch("https:" OBFUSCATION - recovered 1 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Reconstructed Obfuscated URL in index.js: "https://crypto.depayhub.net/solana/validator" - Platform Detection with Data Collection in dist/index.js: "JSON.stringify({action:"validator",content:Buffer.from(e,"utf-8").toS" - Publisher Has Other Malicious Packages - Malicious Dependency Detected in package.json PAYLOAD FILES index.js (+ dist/index.js) INDICATORS (IOCs) - urls: https://l.anza.xyz/s/js-sdk-repo, https://solana.com/docs/rpc, https://solanacookbook.com/, https://reactnative.dev/blog/2022/07/08/hermes-as-the-default - domains: l.anza.xyz, solana.com, solanacookbook.com, solana-labs.github.io, reactnative.dev - payloadFileHash: e61801ec08048dbc9bc398e5e4ec4cb92daf04f98cc6147ef5266e1de02821c8

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownsolana-validator.jsall (affected)

References

vendor

Browse GCVE Records

73,685 records in the GCVE database · Updated July 18, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›