{"id":248366,"date":"2026-05-18T04:57:00","date_gmt":"2026-05-18T08:57:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/18\/four-malicious-npm-packages-deliver-infostealers-and-phantom-bot-ddos-malware\/"},"modified":"2026-05-18T09:20:14","modified_gmt":"2026-05-18T13:20:14","slug":"four-malicious-npm-packages-deliver-infostealers-and-phantom-bot-ddos-malware","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/18\/four-malicious-npm-packages-deliver-infostealers-and-phantom-bot-ddos-malware\/","title":{"rendered":"Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/four-malicious-npm-packages-deliver.html\">Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/four-malicious-npm-packages-deliver.html\">https:\/\/thehackernews.com\/2026\/05\/four-malicious-npm-packages-deliver.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-18 04:57:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p><span class=\"p-author\">\ue804<span class=\"author\">Ravie Lakshmanan<\/span>\ue802<span class=\"author\">May 18, 2026<\/span><\/span><span class=\"p-tags\">Supply Chain Attack \/ Botnet<\/span><\/p>\n<p>Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP.<\/p>\n<p>The list of identified packages is below &#8211;<\/p>\n<ul>\n<li>chalk-tempalte (825 Downloads)<\/li>\n<li>@deadcode09284814\/axios-util (284 Downloads)<\/li>\n<li>axois-utils (963 Downloads)<\/li>\n<li>color-style-utils (934 Downloads)<\/li>\n<\/ul>\n<p>&#8220;One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after,&#8221; OX Security&#8217;s Moshe Siman Tov Bustan said.<\/p>\n<p>Interestingly, the malicious payloads embedded into the four npm packages are different, despite them being published by the same npm user, &#8220;deadcode09284814.&#8221; As of writing, the four libraries are still available for download from npm.<\/p>\n<p>An analysis of the packages has revealed that &#8220;axois-utils&#8221; is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, with capabilities to flood a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.\u00a0<\/p>\n<p>The remaining three drop a stealer payload on compromised systems. Of the three packages, the &#8220;chalk-tempalte&#8221; package contains a clone of the Shai-Hulud worm released by TeamPCP.<\/p>\n<p>&#8220;The actor took the code, and almost without any change at all &#8212; uploaded a working version with its own C2 server and private key into npm,&#8221; OX Security said. &#8220;The stolen credentials are sent to the remote C2 server &#8212; 87e0bbc636999b.lhr[.]life&#8221;<\/p>\n<p><img decoding=\"async\" alt=\"\" border=\"0\" data-original-height=\"740\" data-original-width=\"817\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEip3qQksZXBRKVYJxNA8Iv2QlO-FDFGJutGr9HcM18AMvqrLh49vuj7tZSz4gR9AoDMDMyfE6TpgI_HsxkPDcn7GMIZNDUU6MBxKj8cr9q7HGF-O5pXaXPlkq6XEHPNQJrMJicWzDMshKwAziJisVfv1qHyU6j5Kh6tGspc9cv0JefxeuVNdGf1pgFzPlLy\/s1600\/ox-security.jpg\"\/><\/p>\n<p>In addition, the data is exported to a new GitHub public repository using the stolen GitHub token via the API. The repository is given the description &#8220;A Mini Sha1-Hulud has Appeared.&#8221;<\/p>\n<p>The other two npm packages,&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/05\/four-malicious-npm-packages-deliver.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware https:\/\/thehackernews.com\/2026\/05\/four-malicious-npm-packages-deliver.html Publish Date: 2026-05-18&#8230;<\/p>\n","protected":false},"author":1,"featured_media":248367,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhbN7WbW1cUkMzMJl0HPvRrQQUc5MQEE3Pvrc735aG7RGwpguum4POxa4yeQjyYIyiAYBDj_Zl6Ud8esex0AnQSG2J6TVWat57BLALA4WTi3gr5mfrLC2AHloSuvzx6fg9bTxZUvO-aA5VwHjyqbYecAWm2DnM9SRyt0M1GaqYzlBBKdgUR8BXV3xIDVnVN\/s1600\/npm-hacking.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32],"class_list":["post-248366","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248366"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=248366"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248366\/revisions"}],"predecessor-version":[{"id":248368,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/248366\/revisions\/248368"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/248367"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=248366"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=248366"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=248366"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}