VDB
GCVE-110-OSM-2026-3797
GCVE-110-OSM-2026-3797
Advisory PublishedCVSS 8.8/10
Malicious npm package in the PhantomRaven Wave 5 supply-chain campaign, targeting JavaScript developers. Uses a Remote Dynamic Dependency (RDD) self-reference to http://pack.nppacks.com/npm/return-npm to fetch a three-stage payload that silently exfiltrates developer credentials, CI/CD secrets, and public IP to http://pack.nppacks.com/mozbra.php during npm install.
=== ATTACK CHAIN: PhantomRaven Remote Dynamic Dependency (RDD) ===
package.json self-references the package as one of its own dependencies, but the dependency URL points to attacker C2 http://pack.nppacks.com/npm/<package-name>. When npm install resolves the dependency tree, npm fetches a Stage 1 tarball from the C2.
Stage 1: per-package SHA256 (varies), but every Stage 1 index.js is byte-identical (SHA256 78937711bbc74542d304c7a7ea451465a2342438116fb37aa715ccf89b027d04) and redirects to dropper 'idle-style-xi' (never published to npm).
Stage 2 (idle-style-xi v2.0.1): preinstall lifecycle hook fires automatically. Requests a single-use token from http://pack.nppacks.com/token.php (gated on header X-Package-Name: idle-style-xi; any other value returns 403 and the requester IP is blocked). Then fetches personalised payload from http://pack.nppacks.com/route.js?token=<token>, writes it to /tmp/collector-<timestamp>.js, executes via require(), then unlinks the file (anti-forensic).
Stage 3 (final payload, collector_payload.js):
SHA256: abe9ee9edfc44f7675400207a826c260b2f197d1f93e36010c35d627983e4294
SHA1: 83088e7cb00cf9fab74df2f64b7021b2deef6610
MD5: 4bdb7aef96dc04c250cceefa222d7d1a
- Silences console.log/error/warn/info/debug so victim sees nothing during install
- Harvests email from $EMAIL, $USER_EMAIL, $GIT_AUTHOR_EMAIL, $GIT_COMMITTER_EMAIL, $npm_config_email, $npm_package_author_email, ~/.gitconfig, ~/.npmrc, package.json author
- Collects CI/CD env vars: GITHUB_ACTIONS, GITHUB_ACTOR, GITHUB_REPOSITORY, GITLAB_CI, JENKINS_URL, CIRCLECI, USER, HOME, PATH
- Resolves public IP via https://api64.ipify.org
- System fingerprint: hostname, OS, arch, local IP, whoami, cwd, node version, argv, execPath
- POSTs collected JSON to http://pack.nppacks.com/mozbra.php
C2 infrastructure:
- pack.nppacks.com (primary, registered 2026-03-10 via Amazon Registrar w/ Identity Protection)
- hblnew.ecompk.com (alternate vhost serving identical content; subdomain of legit Karachi IT co. ECOM PK that hosts HBL bank's e-commerce platform; DNS managed via Cloudflare implies authenticated access to ECOM PK Cloudflare account)
- 54.160.138.70 (AWS EC2 us-east-1, Ubuntu, Apache 2.4.58)
Attribution: 'author':'JPD' field embedded in C2-served tarballs across all five waves (Stage 1 also seen with 'author':'Micro' in Wave 5; Stage 2 dropper carries 'author':'Brandon'). Actor email patterns: jjjpd01-20@outlook.com (early waves), then dharshanjp*@outlook.com and jpddharsh*@outlook.com (suggesting actor name 'Dharshan JP'). Early npm accounts: npmhell, npmpackagejpd. Actor embeds the comment '// This Package use for security testing PoC purpose' for plausible deniability.
Mitigation: install with --ignore-scripts; block pack.nppacks.com, hblnew.ecompk.com, and 54.160.138.70 at network perimeter; alert on outbound POST to /mozbra.php. Audit package.json/package-lock.json for any HTTP(S) dependency URLs pointing outside the npm registry.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
8.8/10
High · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | return-npm | all (affected) | — |
Browse GCVE Records
72,664 records in the GCVE database · Updated July 15, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.