VDB
GCVE-110-OSM-2026-7075
GCVE-110-OSM-2026-7075
Advisory PublishedCVSS 9.6/10
The package's `check_validator` function in `dist/index.js` POSTs user-supplied data base64-encoded to `https://crypto.depayhub.net/solana/validator` — an attacker-controlled C2 endpoint authored under the same `depayhub.net` domain as the package author. The exfiltrated payload includes `content: Buffer.from(e, 'utf-8').toString('base64')` and an `apiKey`, consistent with credential/key exfiltration targeting Solana wallet data. The publisher `stevewilliam` has a 100% malicious ratio across all checked packages (`solana-validator` rated critical, `xrpl-wallet` rated medium), making this a deliberate campaign rather than a mistake. The package also depends on a flagged version of `@solana/web3.js`, compounding the supply-chain risk. The attacker model is clear: masquerade as a Solana RPC utility, intercept API keys and wallet content submitted to the `validate()` function, and exfiltrate them to the attacker's server.
ENTRY
dist/index.js (main: index.js)
DESTINATION
- reconstructed: https://crypto.depayhub.net/solana/validator (primary, reconstructed) in dist/index.js
- custom-c2: crypto.depayhub.net (reconstructed) in dist/index.js
- custom-c2: https://crypto.depayhub.net/solana/validator` (plaintext) in index.js
EXFIL
- Data Encoding for Exfiltration in dist/index.js: "Buffer.from(e,"utf-8").toString("base64")"
- Data Encoding for Exfiltration in index.js: "Buffer.from(str, 'utf-8').toString('base64')"
- Network Request in dist/index.js: "fetch("https:"
OBFUSCATION
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Reconstructed Obfuscated URL in index.js: "https://crypto.depayhub.net/solana/validator"
- Platform Detection with Data Collection in dist/index.js: "JSON.stringify({action:"validator",content:Buffer.from(e,"utf-8").toS"
- Publisher Has Other Malicious Packages
- Malicious Dependency Detected in package.json
PAYLOAD FILES
index.js (+ dist/index.js)
INDICATORS (IOCs)
- urls: https://l.anza.xyz/s/js-sdk-repo, https://solana.com/docs/rpc, https://solanacookbook.com/, https://reactnative.dev/blog/2022/07/08/hermes-as-the-default
- domains: l.anza.xyz, solana.com, solanacookbook.com, solana-labs.github.io, reactnative.dev
- payloadFileHash: e61801ec08048dbc9bc398e5e4ec4cb92daf04f98cc6147ef5266e1de02821c8
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | solana-validator.js | all (affected) | — |
Browse GCVE Records
73,685 records in the GCVE database · Updated July 18, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.