VDB

GCVE-110-OSM-2026-3797

GCVE-110-OSM-2026-3797
Advisory PublishedCVSS 8.8/10
Vulnetix · Advisory published March 10, 2026
Malicious npm package in the PhantomRaven Wave 5 supply-chain campaign, targeting JavaScript developers. Uses a Remote Dynamic Dependency (RDD) self-reference to http://pack.nppacks.com/npm/return-npm to fetch a three-stage payload that silently exfiltrates developer credentials, CI/CD secrets, and public IP to http://pack.nppacks.com/mozbra.php during npm install. === ATTACK CHAIN: PhantomRaven Remote Dynamic Dependency (RDD) === package.json self-references the package as one of its own dependencies, but the dependency URL points to attacker C2 http://pack.nppacks.com/npm/<package-name>. When npm install resolves the dependency tree, npm fetches a Stage 1 tarball from the C2. Stage 1: per-package SHA256 (varies), but every Stage 1 index.js is byte-identical (SHA256 78937711bbc74542d304c7a7ea451465a2342438116fb37aa715ccf89b027d04) and redirects to dropper 'idle-style-xi' (never published to npm). Stage 2 (idle-style-xi v2.0.1): preinstall lifecycle hook fires automatically. Requests a single-use token from http://pack.nppacks.com/token.php (gated on header X-Package-Name: idle-style-xi; any other value returns 403 and the requester IP is blocked). Then fetches personalised payload from http://pack.nppacks.com/route.js?token=<token>, writes it to /tmp/collector-<timestamp>.js, executes via require(), then unlinks the file (anti-forensic). Stage 3 (final payload, collector_payload.js): SHA256: abe9ee9edfc44f7675400207a826c260b2f197d1f93e36010c35d627983e4294 SHA1: 83088e7cb00cf9fab74df2f64b7021b2deef6610 MD5: 4bdb7aef96dc04c250cceefa222d7d1a - Silences console.log/error/warn/info/debug so victim sees nothing during install - Harvests email from $EMAIL, $USER_EMAIL, $GIT_AUTHOR_EMAIL, $GIT_COMMITTER_EMAIL, $npm_config_email, $npm_package_author_email, ~/.gitconfig, ~/.npmrc, package.json author - Collects CI/CD env vars: GITHUB_ACTIONS, GITHUB_ACTOR, GITHUB_REPOSITORY, GITLAB_CI, JENKINS_URL, CIRCLECI, USER, HOME, PATH - Resolves public IP via https://api64.ipify.org - System fingerprint: hostname, OS, arch, local IP, whoami, cwd, node version, argv, execPath - POSTs collected JSON to http://pack.nppacks.com/mozbra.php C2 infrastructure: - pack.nppacks.com (primary, registered 2026-03-10 via Amazon Registrar w/ Identity Protection) - hblnew.ecompk.com (alternate vhost serving identical content; subdomain of legit Karachi IT co. ECOM PK that hosts HBL bank's e-commerce platform; DNS managed via Cloudflare implies authenticated access to ECOM PK Cloudflare account) - 54.160.138.70 (AWS EC2 us-east-1, Ubuntu, Apache 2.4.58) Attribution: 'author':'JPD' field embedded in C2-served tarballs across all five waves (Stage 1 also seen with 'author':'Micro' in Wave 5; Stage 2 dropper carries 'author':'Brandon'). Actor email patterns: jjjpd01-20@outlook.com (early waves), then dharshanjp*@outlook.com and jpddharsh*@outlook.com (suggesting actor name 'Dharshan JP'). Early npm accounts: npmhell, npmpackagejpd. Actor embeds the comment '// This Package use for security testing PoC purpose' for plausible deniability. Mitigation: install with --ignore-scripts; block pack.nppacks.com, hblnew.ecompk.com, and 54.160.138.70 at network perimeter; alert on outbound POST to /mozbra.php. Audit package.json/package-lock.json for any HTTP(S) dependency URLs pointing outside the npm registry.

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownreturn-npmall (affected)

References

vendor

Browse GCVE Records

72,664 records in the GCVE database · Updated July 15, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›