Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

The Hacker News by The Hacker News
May 18, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananMay 18, 2026Supply Chain Attack / Botnet

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP.

The list of identified packages is below –

  • chalk-tempalte (825 Downloads)
  • @deadcode09284814/axios-util (284 Downloads)
  • axois-utils (963 Downloads)
  • color-style-utils (934 Downloads)

“One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after,” OX Security’s Moshe Siman Tov Bustan said.

Interestingly, the malicious payloads embedded into the four npm packages are different, despite them being published by the same npm user, “deadcode09284814.” As of writing, the four libraries are still available for download from npm.

An analysis of the packages has revealed that “axois-utils” is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, with capabilities to flood a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task. 

The remaining three drop a stealer payload on compromised systems. Of the three packages, the “chalk-tempalte” package contains a clone of the Shai-Hulud worm released by TeamPCP.

“The actor took the code, and almost without any change at all — uploaded a working version with its own C2 server and private key into npm,” OX Security said. “The stolen credentials are sent to the remote C2 server — 87e0bbc636999b.lhr[.]life”

In addition, the data is exported to a new GitHub public repository using the stolen GitHub token via the API. The repository is given the description “A Mini Sha1-Hulud has Appeared.”

The other two npm packages, “@deadcode09284814/axios-util” and “color-style-utils,” carry a more straightforward functionality that siphons SSH keys, environment variables, cloud credentials, system information, IP address, and cryptocurrency wallet data to “80.200.28[.]28:2222” and “edcf8b03c84634.lhr[.]life,” respectively.

“Threat actors are getting even more motivated to conduct supply chain and typo-squatting, as attacks become easier to perform with the Shai-Hulud code becoming open source,” OX Security said.  “We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto npm, as it’s just the first phase of an upcoming wave of supply chain attacks coming.”

Users who have downloaded the packages are uninstall them immediately, find and delete malicious configuration from IDEs and coding agents like Claude Code, rotate secrets, check for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared,” and block network access to suspicious domains.



Source link

The Hacker News

The Hacker News

Next Post
Baidu Announces First Quarter 2026 Results

Baidu Announces First Quarter 2026 Results

Recommended.

NetActuate Achieves 2025 SOC 1 and SOC 2 Type II Compliance, Advancing Global Security and Compliance Leadership

NetActuate Achieves 2025 SOC 1 and SOC 2 Type II Compliance, Advancing Global Security and Compliance Leadership

May 2, 2025
NORDEN reports net profit of USD 33 million (DKK 234 million) in Q1 2025

NORDEN reports net profit of USD 33 million (DKK 234 million) in Q1 2025

May 1, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026
AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

AT&T Vs. Verizon: How The Country’s Biggest Carriers Fared In Q4 2025

January 30, 2026
Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

Anthropic’s 5 Huge Hires From OpenAI, Google, Microsoft And xAI In 2026

July 7, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio