Four Malicious npm packages deliver Infostealers and Phantom Bot DDoS Malware
Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm developed by TeamPCP.
The list of mentioned packages is below –
- chalk-tempalte (825 downloads)
- @deadcode09284814/axios-util (284 Downloads)
- axois-utils (963 Downloads)
- color style usage (934 Downloads)
“One of the packages (chalk-tempalte) contains the Shai-Hulud source code leaked by TeamPCP last week, which may have been inspired as part of an attack contest published on BreachForums not long ago,” said Moshe Siman Tov Bustan of OX Security.
Interestingly, the malicious payloads embedded in the four npm packages are different, despite being published by the same npm user, “deadcode09284814.” As of writing, four libraries are still available for download from npm.
Package analysis revealed that “axois-utils” was designed to deliver a Golang-based distributed denial-of-service (DDoS) bot called Phantom Bot, capable of flooding a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding a payload to the Windows Startup folder and creating a scheduled task.
The remaining three reduce the amount of theft from compromised systems. Of these three packages, the “chalk-tempalte” package contains a clone of the Shai-Hulud worm released by TeamPCP.
“The actor took the code, and with almost no changes — uploaded a working version with its own C2 server and private key to npm,” OX Security said. “Stolen information is sent to a remote C2 server — 87e0bbc636999b.lhr[.]life”
In addition, the data is sent to the GitHub public repository using a stolen GitHub API token. The last place is given the description “Mini Sha1-Hulud Appeared.”
Two other npm packages, “@deadcode09284814/axios-util” and “color-style-use,” handle a more straightforward task that extracts SSH keys, environment variables, cloud credentials, system information, IP address, and cryptocurrency wallet data to “80.200.28”[.]28:2222″ and “edcf8b03c84634.lhr[.]life,” respectively.
“Threat actors are even more motivated to engage in supply chain and typo-squatting, as attacks become easier to make the Shai-Hulud code open source,” OX Security said. “We are now seeing more strategic single actor and infostealer types spreading malicious code to npm, as it is the first stage of the next attack to come.”
Users who downloaded the packages quickly extract them, find and remove malicious configurations in IDEs and coding agents like Claude Code, rotate secrets, check GitHub repositories containing the thread “Mini Sha1-Hulud Appeared,” and block network access to suspicious domains.
