Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Staff Editor 2026-05-18
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html

Publish Date: 2026-05-18 04:57:00

Source Domain: thehackernews.com

Ravie LakshmananMay 18, 2026Supply Chain Attack / Botnet

Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP.

The list of identified packages is below –

  • chalk-tempalte (825 Downloads)
  • @deadcode09284814/axios-util (284 Downloads)
  • axois-utils (963 Downloads)
  • color-style-utils (934 Downloads)

“One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after,” OX Security’s Moshe Siman Tov Bustan said.

Interestingly, the malicious payloads embedded into the four npm packages are different, despite them being published by the same npm user, “deadcode09284814.” As of writing, the four libraries are still available for download from npm.

An analysis of the packages has revealed that “axois-utils” is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, with capabilities to flood a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task. 

The remaining three drop a stealer payload on compromised systems. Of the three packages, the “chalk-tempalte” package contains a clone of the Shai-Hulud worm released by TeamPCP.

“The actor took the code, and almost without any change at all — uploaded a working version with its own C2 server and private key into npm,” OX Security said. “The stolen credentials are sent to the remote C2 server — 87e0bbc636999b.lhr[.]life”

In addition, the data is exported to a new GitHub public repository using the stolen GitHub token via the API. The repository is given the description “A Mini Sha1-Hulud has Appeared.”

The other two npm packages,…

Source

More Stories

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Diaspo #444: From supercomputers to cybersecurity, Asmae Mhassni’s unconventional path

Staff Editor 2026-06-06
Opal Security Raises Million for AI-Native Identity Governance

Opal Security Raises $23 Million for AI-Native Identity Governance

Staff Editor 2026-06-06
Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI

Staff Editor 2026-06-06

Terms and Conditions - Privacy Policy