Cybersecurity researchers have discovered four new npm packages containing information-stealing malware. One of them is a clone of the Shai-Hulud worm that was open sourced by TeamPCP.
The list of identified packages is below –
chalk-tempalte (825 downloads) @deadcode09284814/axios-util (284 downloads) axois-utils (963 downloads) color-style-utils (934 downloads)
“One of the packages (Choke Tempult) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, likely inspired as part of a supply chain attack contest published on BreachForums shortly thereafter,” said Moshe Siman Tov Bustan of OX Security.
Interestingly, the malicious payloads embedded in the four npm packages are different, even though they are published by the same npm user ‘deadcode09284814’. As of this writing, four libraries are still available for download from npm.
Analysis of the package revealed that ‘axois-utils’ is designed to deliver a Golang-based distributed denial of service (DDoS) botnet called Phantom Bot, with the ability to flood target websites using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows startup folder and creating a scheduled task.
The remaining three drop stealer payloads on compromised systems. Of the three packages, the “chalk-tempalte” package contains a clone of the Shai-Hulud worm released by TeamPCP.
“The attackers took the code with few modifications and uploaded a working version to npm, including their own C2 server and private key,” OX Security said. “Stolen credentials are sent to a remote C2 server — 87e0bbc636999b.lhr”[.]life”
Additionally, the data is exported via the API to a new GitHub public repository using the stolen GitHub token. The repository has the description “A Mini Sha1-Hulud has appeared.”
Two other npm packages, ‘@deadcode09284814/axios-util’ and ‘color-style-utils’, have more direct functionality to siphon SSH keys, environment variables, cloud credentials, system information, IP addresses, and cryptocurrency wallet data to ‘80.200.28’.[.]28:2222” and “edcf8b03c84634.lhr”[.]Life”, respectively.
“The open sourcing of the Shai-Hulud code makes it easier to carry out attacks, giving threat actors even more incentive to engage in supply chain and typosquatting,” OX Security said. “We are currently seeing a single attacker with multiple techniques and information-stealing capabilities spreading malicious code to npm. This is just the first phase of a wave of supply chain attacks to come.”
Users who have downloaded the package should immediately uninstall the package, find and remove the malicious configuration from their IDE or coding agent like Claude Code, rotate secrets, check for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared,” and block network access to suspicious domains.
Source link
