VDB
GCVE-110-OSM-2026-5909
GCVE-110-OSM-2026-5909
Advisory PublishedCVSS 9.6/10
This is a supply-chain attack masquerading as the legitimate `amplitude-experiment` package. The outer package's `package.json` specifies an HTTP URL dependency pointing to `https://repo.securityctrl.com/amplitude-experiment` — an attacker-controlled domain — bypassing the npm registry entirely and pulling down an unvetted payload. That fetched payload (`[amplitude-experiment] index.js`) runs at install via a `postinstall: node index.js` hook, collects system information (`os.hostname()`), queries an external IP lookup service (`ipify.org`) for victim fingerprinting, and makes outbound HTTPS requests — consistent with an initial-access beacon to the attacker. The decoded IOC `d8jegmee851s47i10mi09cbof5yzky8qa.caller.securityctrl.com` is characteristic of OAST/DNS-callback infrastructure used to confirm successful installations and exfiltrate identifying data. The publisher `sine8z` has already had 6 packages flagged as critical malware (axis-datagrid, framework-zero, integration-amplitude, katal-logger, librastandardlib, npm-extension), establishing this as a prolific threat actor running a coordinated dependency-confusion/typosquatting campaign.
ENTRY
index.js (main: index.js)
- URL-Based Dependency in package.json: ""dependencies": { "amplitude-experiment": "https://repo.securityctrl.com/amplitu..."
- Install Hook Executes Local JS File in [amplitude-experiment] package.json: ""postinstall": "node index.js""
DESTINATION
- urls: https://repo.securityctrl.com/amplitude-experiment (loader, plaintext)
- domains: repo.securityctrl.com (loader, plaintext)
EXFIL
- Network Request in [amplitude-experiment] index.js: "https.request("
- System Information Collection in [amplitude-experiment] index.js: "os.hostname()"
OBFUSCATION
- recovered 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Publisher Has Other Malicious Packages
- Publisher Shows Burner-Account Pattern
- Shell Command Execution in [amplitude-experiment] index.js: "require('child_process')"
PAYLOAD FILES
[amplitude-experiment] index.js
INDICATORS (IOCs)
- domains: d8jegmee851s47i10mi09cbof5yzky8qa.caller.securityctrl.com
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | amplitude-experiment | all (affected) | — |
Browse GCVE Records
73,053 records in the GCVE database · Updated July 16, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.