Skip to content

Shai-Hulud Malware Abuse in npm Packages

The point: Leaked Shai-Hulud trojans are spreading unmodified via npm packages to steal developer credentials and cryptocurrency wallet data, with one package also featuring DDoS botnet functionality.

The Shai-Hulud trojan leaked a week ago is now being deployed in a new attack wave against the Node Package Manager (npm) registry. Security firm OXsecurity discovered four manipulated packages containing malware code over the weekend.

An attacker using the account deadcode09284814 published four malicious npm packages, including chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. Several of these packages contain an unencrypted copy of the Shai-Hulud trojan and are designed to steal developer credentials, secrets, cryptocurrency wallet data, and account information. The packages used typosquatting techniques to specifically target Axios users.

The chalk-tempalte package contains a direct clone of the Shai-Hulud malware code attributed to the hacker group TeamPCP. According to OXsecurity, it is an unmodified copy of the source code leaked on GitHub without obfuscation methods — an indication that these attacks do not originate from TeamPCP itself but from copycat attackers who quickly seized on the published code. The malware code exfiltrates data to a command-and-control server at 87e0bbc636999b.lhr.life and retains GitHub publishing functionality to upload stolen login credentials to automatically created public repositories.

Particularly critical is the axois-utils package, which offers DDoS capabilities in addition to data theft functions — supporting HTTP, TCP, and UDP floods as well as TCP reset attacks. Internal references to a “phantom bot” were found.

The four packages were downloaded a combined 2,678 times. Developers who installed these packages should remove them immediately and rotate credentials and API keys on affected systems. The Shai-Hulud campaigns, running since September 2025, systematically steal developer data by injecting malware into legitimate projects. After stealing publishing credentials, this information is exposed in public GitHub repositories.


Source: ainews-dev.lumi-systems.io · Published May 18, 2026
Lumi AI News — AI-assisted curation per Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.5.2.

Share on: