{ "Event": { "analysis": "1", "date": "2026-05-03", "extends_uuid": "", "info": "[Threat Intel] PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers", "protected": false, "publish_timestamp": "1779546243", "published": true, "threat_level_id": "2", "timestamp": "1779546243", "uuid": "2e7cfd57-31f9-4a8b-8a79-5b1beecc02b0", "Orgc": { "name": "Rectifyq", "uuid": "cd9bd516-61fa-476b-980f-2f8de03992d4" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:clear", "relationship_type": "" }, { "colour": "#004646", "local": false, "name": "type:OSINT", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"none-from-src\"", "relationship_type": "" }, { "colour": "#b94b1d", "local": false, "name": "rectifyq:mitre-att&ck=\"from-OTX\"", "relationship_type": "" }, { "colour": "#e7d48a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Owner/User Discovery - T1033\"", "relationship_type": "" }, { "colour": "#d3f567", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"JavaScript - T1059.007\"", "relationship_type": "" }, { "colour": "#7da4ad", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Match Legitimate Resource Name or Location - T1036.005\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Local Account - T1087.001\"", "relationship_type": "" }, { "colour": "#2c1d2e", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Checks - T1497.001\"", "relationship_type": "" }, { "colour": "#256f6a", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"DLL - T1574.001\"", "relationship_type": "" }, { "colour": "#7d7034", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Information Discovery - T1082\"", "relationship_type": "" }, { "colour": "#a92e1c", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Deobfuscate/Decode Files or Information - T1140\"", "relationship_type": "" }, { "colour": "#e7d11f", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Private Keys - T1552.004\"", "relationship_type": "" }, { "colour": "#9f6bd9", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"System Network Configuration Discovery - T1016\"", "relationship_type": "" }, { "colour": "#0c0051", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"File and Directory Discovery - T1083\"", "relationship_type": "" }, { "colour": "#f95f85", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Credentials In Files - T1552.001\"", "relationship_type": "" }, { "colour": "#e43954", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Disable or Modify Tools - T1562.001\"", "relationship_type": "" }, { "colour": "#4a87cb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Malicious Image - T1204.003\"", "relationship_type": "" }, { "colour": "#e08bb2", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Obfuscated Files or Information - T1027\"", "relationship_type": "" }, { "colour": "#d596aa", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Compromise Software Supply Chain - T1195.002\"", "relationship_type": "" }, { "colour": "#0088cc", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Exfiltration to Cloud Storage - T1567.002\"", "relationship_type": "" }, { "colour": "#92e858", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Web Protocols - T1071.001\"", "relationship_type": "" }, { "colour": "#a0cbec", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Systemd Service - T1543.002\"", "relationship_type": "" }, { "colour": "#4c0fbb", "local": false, "name": "misp-galaxy:mitre-attack-pattern=\"Ingress Tool Transfer - T1105\"", "relationship_type": "" }, { "colour": "#49a260", "local": false, "name": "rectifyq:category=\"threat\"", "relationship_type": "" }, { "colour": "#130049", "local": false, "name": "rectifyq:sub-category=\"campaign-analysis\"", "relationship_type": "" }, { "colour": "#18005e", "local": false, "name": "rectifyq:topic=\"supply-chain\"", "relationship_type": "" }, { "colour": "#1a0063", "local": false, "name": "rectifyq:topic=\"web3\"", "relationship_type": "" }, { "colour": "#ffd12e", "local": false, "name": "rectifyq:target=\"broad-based\"", "relationship_type": "" }, { "colour": "#55acee", "local": false, "name": "rectifyq:MY-relevancy=\"potentially-relevant\"", "relationship_type": "" }, { "colour": "#1a0065", "local": false, "name": "rectifyq:topic=\"crypto-related\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#3800d9", "local": false, "name": "rectifyq:action-taken=\"VT-comment\"", "relationship_type": "" }, { "colour": "#3d00e9", "local": false, "name": "rectifyq:action-taken=\"telegram\"", "relationship_type": "" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950007", "to_ids": false, "type": "link", "uuid": "2ebdf05f-7e2d-432f-a33d-35358edb4766", "value": "https://www.mend.io/blog/phantomraven-wave-5-new-undocumented-npm-supply-chain-campaign-targets-defi-cloud-and-ai-developers/" }, { "category": "Other", "comment": "Description", "deleted": false, "disable_correlation": false, "timestamp": "1777950007", "to_ids": false, "type": "text", "uuid": "786ce565-7d36-4c0d-936f-bb331f464ed1", "value": "A fifth wave of the PhantomRaven NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dependency techniques to bypass static analysis. Malicious packages self-reference dependencies pointing to attacker-controlled servers at pack[.]nppacks[.]com, which deliver droppers that harvest developer credentials, system information, CI/CD tokens, GitHub repository names, and email addresses from Git configurations, NPM settings, and environment variables. The campaign specifically targets DeFi cryptocurrency developers, cloud infrastructure engineers working with Azure CDK, and AI application developers. All collected data is exfiltrated via POST requests to mozbra.php on the C2 server. Infrastructure analysis reveals connections to a legitimate Pakistani IT services company domain, suggesting potential accou..." }, { "category": "Other", "comment": "Summary", "deleted": false, "disable_correlation": false, "timestamp": "1777950007", "to_ids": false, "type": "text", "uuid": "151129e1-5abf-40d9-bc95-0872d07102ec", "value": "Name: PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers\nAuthor: AlienVault\nAdversary: PhantomRaven\nTags: [\"remote-dynamic-dependency\", \"phantomraven\", \"supply-chain\", \"azure\"]\nTgtd countries: []\nMlwr families: []\nAttack_ids: [\"T1033\", \"T1059.007\", \"T1036.005\", \"T1087.001\", \"T1497.001\", \"T1574.001\", \"T1082\", \"T1140\", \"T1552.004\", \"T1016\", \"T1083\", \"T1552.001\", \"T1562.001\", \"T1204.003\", \"T1027\", \"T1195.002\", \"T1567.002\", \"T1071.001\", \"T1543.002\", \"T1105\"]\nIndustries: [\"Finance\", \"Technology\"]" }, { "category": "Attribution", "comment": "Adversary", "deleted": false, "disable_correlation": false, "timestamp": "1777950007", "to_ids": false, "type": "threat-actor", "uuid": "e7f21812-2edf-48b0-8d26-b70732f101cb", "value": "PhantomRaven" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209380", "to_ids": true, "type": "domain", "uuid": "2168076e-03d7-442b-baa5-ad82bd0d27d5", "value": "console.info", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1777950008", "to_ids": false, "type": "vulnerability", "uuid": "b03b5baf-bb06-4f90-9d15-f60e38b64f8d", "value": "CVE-2026-31431" }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209401", "to_ids": true, "type": "hostname", "uuid": "2ea9b92f-8aa5-46d3-b025-6b818f57d79f", "value": "pack.nppacks.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209422", "to_ids": true, "type": "hostname", "uuid": "6da70abf-8d87-48f2-8bbe-e32ba2cb2cfb", "value": "hblnew.ecompk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546237", "to_ids": true, "type": "md5", "uuid": "c9b6a23d-dc60-41bc-975a-43aeffe7e0e5", "value": "4bdb7aef96dc04c250cceefa222d7d1a", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546239", "to_ids": true, "type": "sha1", "uuid": "d1d30659-ac93-43e1-839e-7070e09299e2", "value": "83088e7cb00cf9fab74df2f64b7021b2deef6610", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546240", "to_ids": true, "type": "sha256", "uuid": "e960e86c-221b-42ad-99f9-b5d3a202dff4", "value": "78937711bbc74542d304c7a7ea451465a2342438116fb37aa715ccf89b027d04", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "No sample in VT\r\nLast check:08/05/2026", "deleted": false, "disable_correlation": false, "timestamp": "1779546243", "to_ids": true, "type": "sha256", "uuid": "7ffd2b52-4977-4fe8-96bf-f1af1dd3f19d", "value": "abe9ee9edfc44f7675400207a826c260b2f197d1f93e36010c35d627983e4294", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209443", "to_ids": true, "type": "url", "uuid": "99455927-cb54-4a63-9baa-3865bac4fcb5", "value": "http://hblnew.ecompk.com/npm/local-rules", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209464", "to_ids": true, "type": "url", "uuid": "6a104308-e901-46b7-916c-069374b03ef2", "value": "http://pack.nppacks.com/mozbra.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209486", "to_ids": true, "type": "url", "uuid": "cfdad988-6094-4678-955d-ae5e609c06d7", "value": "http://pack.nppacks.com/npm/", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209507", "to_ids": true, "type": "url", "uuid": "44a8c341-9c50-4124-bd7b-5ce8097127d8", "value": "http://pack.nppacks.com/npm/graphql-js-client-transform", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209528", "to_ids": true, "type": "url", "uuid": "b26908ed-27b2-4574-868d-d5d7fbba7116", "value": "http://pack.nppacks.com/npm/idle-style-xi", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209549", "to_ids": true, "type": "url", "uuid": "e45c6d09-24e8-48d0-a0d3-f8e436aa49eb", "value": "http://pack.nppacks.com/npm/local-rules", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209571", "to_ids": true, "type": "url", "uuid": "0ee3b355-7db7-4008-a8d0-ddb2cddf4a77", "value": "http://pack.nppacks.com/route.js", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209592", "to_ids": true, "type": "url", "uuid": "d564336d-86ea-41f9-a61c-457183996c24", "value": "http://pack.nppacks.com/token.php", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209613", "to_ids": true, "type": "domain", "uuid": "7958f151-34ce-438c-9dc1-6432486c7ce5", "value": "ecompk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209634", "to_ids": true, "type": "hostname", "uuid": "dcee45ba-a6fa-47a8-b064-2ea1a19329f7", "value": "hblv2.ecompk.com", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209655", "to_ids": true, "type": "hostname", "uuid": "bfb947e7-3c0b-421b-af1f-58d4e2a4050f", "value": "pkg.author.email", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209676", "to_ids": true, "type": "ip-dst", "uuid": "b8d80146-b84e-42fc-b94e-0d9ed3a31dde", "value": "54.160.138.70", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209697", "to_ids": true, "type": "url", "uuid": "b3620863-4bfc-4284-85c0-85fbc62d8b45", "value": "http://pack.nppacks.com/npm/*", "Tag": [ { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" } ] }, { "category": "Network activity", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1778209718", "to_ids": true, "type": "url", "uuid": "d9423646-2b41-4864-9fc0-a53cb40645d3", "value": "pack.nppacks.com/mozbra.php", "Tag": [ { "colour": "#f08989", "local": false, "name": "NotFoundError", "relationship_type": "" } ] } ], "Object": [ { "comment": "", "deleted": false, "description": "File object describing a file with meta-information", "meta-category": "file", "name": "file", "template_uuid": "688c46fb-5edb-40a3-8273-1af7923e2215", "template_version": "25", "timestamp": "1779546235", "uuid": "1cc7bfc8-3d6a-4797-b39e-f3f34e596e9e", "Attribute": [ { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "md5", "timestamp": "1779546234", "to_ids": true, "type": "md5", "uuid": "58491dba-81c2-4470-b11b-80db1eb11a9f", "value": "59ebd4c8f5c936146326c8f841e7cb0e", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#342294", "local": false, "name": "CommentAdded", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha1", "timestamp": "1779546235", "to_ids": true, "type": "sha1", "uuid": "a5e28b85-ff6d-4b58-aaf2-3969aed52f4a", "value": "6cd1d745b56bc1f3fff1a5092418af4b03922460", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "sha256", "timestamp": "1779546235", "to_ids": true, "type": "sha256", "uuid": "bdc0c2f6-0963-4535-9541-0df9303bae23", "value": "0ce9b82d290004031b7cc49d724c00011811e1753a283a93a380a311360cfb66", "Tag": [ { "colour": "#260091", "local": false, "name": "rectifyq:ioc=\"enriched\"", "relationship_type": "" }, { "colour": "#220085", "local": false, "name": "rectifyq:samples-found-in=\"VirusTotal\"", "relationship_type": "" }, { "colour": "#270095", "local": false, "name": "rectifyq:ioc=\"low-detection-by-any-vendor\"", "relationship_type": "" }, { "colour": "#230087", "local": false, "name": "rectifyq:samples-found-in=\"Tria.ge\"", "relationship_type": "" }, { "colour": "#626567", "local": false, "name": "rectifyq:no-samples-in=\"MalwareBazaar\"", "relationship_type": "" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "ssdeep", "timestamp": "1778206192", "to_ids": true, "type": "ssdeep", "uuid": "c6e949c8-88ab-4d24-a3c7-c7ff4245871f", "value": "12:Xo5zJdcz+QmS6iZIxL6Hivt3Z5k8zcLf18n:Xo5zj0+QmSpIJ6H4tpq8E18n" }, { "category": "Other", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "size-in-bytes", "timestamp": "1778206192", "to_ids": false, "type": "size-in-bytes", "uuid": "56bc2445-5230-449b-af1a-c3825148d149", "value": "515" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "object_relation": "vhash", "timestamp": "1778206192", "to_ids": true, "type": "vhash", "uuid": "a1f04ce2-e471-4347-a274-70730e2a17a1", "value": "70387a0588a63b0804a0b7564e62808b" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": true, "object_relation": "filename", "timestamp": "1778206192", "to_ids": true, "type": "filename", "uuid": "6bcf597d-01b5-4f11-88b8-9157a7dff110", "value": "local-rules" }, { "category": "Other", "comment": "Checked: 08/05/2026\nLast-scan\t: 05/05/2026", "deleted": false, "disable_correlation": true, "object_relation": "text", "timestamp": "1778206192", "to_ids": false, "type": "text", "uuid": "2468bc44-6c9e-4bba-ac3c-1a50b32702a0", "value": "Type Description: GZIP\nMicrosoft: None\nVT Total Detection:1/60\nFirst Submission:2026-05-05T09:24:28.000000+00:00\nLast Submission:2026-05-05T16:14:44.000000+00:00" } ] } ] } }