In a nutshell: Four malicious npm packages from the same attacker distribute different malware: a DDoS botnet and infostealers. One package is a direct clone of the recently published Shai-Hulud worm. Users should immediately remove affected packages and reset their security credentials.
Security researchers have discovered four new npm packages containing information stealer malware. One package is a direct clone of the Shai-Hulud worm published by TeamPCP and has already been exploited by cybercriminals to launch attacks.
Cybersecurity experts have identified four new npm packages with malicious software, one of which is a clone of the Shai-Hulud worm recently disclosed by TeamPCP. The affected packages are: chalk-tempalte (825 downloads), @deadcode09284814/axios-util (284 downloads), axois-utils (963 downloads), and color-style-utils (934 downloads).
The “chalk-tempalte” package contains a direct clone of the Shai-Hulud source code. According to OX Security, the attacker used the code with minimal modifications and uploaded a working version with its own command-and-control server to npm. Stolen credentials are transmitted to the server 87e0bbc636999b.lhr[.]life and exported to a new public repository via a stolen GitHub token.
The “axois-utils” package is designed to deploy a Golang-based DDoS botnet called Phantom Bot. It can overwhelm target websites with HTTP, TCP, and UDP protocols and establishes persistence on Windows and Linux systems through entries in the Startup folder and scheduled tasks.
The two other packages, “@deadcode09284814/axios-util” and “color-style-utils,” steal SSH keys, environment variables, cloud credentials, system information, IP addresses, and cryptocurrency wallet data. These are transmitted to the servers “80.200.28[.]28:2222” and “edcf8b03c84634.lhr[.]life”.
All four packages were published by the same npm user “deadcode09284814” but use different malicious mechanisms. Experts warn that the disclosure of the Shai-Hulud code will lead to a wave of supply chain attacks. Users should immediately uninstall the packages, remove all suspicious configurations from IDEs and coding tools, reset their secrets, and block access to suspicious domains.