- Four malicious npm packages discovered distributing information-stealing malware and a DDoS botnet.
- One package contains a clone of the open-source Shai-Hulud worm leaked by TeamPCP.
- Attackers are exfiltrating data like SSH keys, wallet info, and credentials to specific remote servers.
Cybersecurity researchers have uncovered a new supply chain attack involving four malicious npm packages designed to steal information and deploy a distributed denial-of-service (DDoS) botnet. According to OX Security, one package is a direct clone of the “Shai-Hulud” worm source code recently leaked by TeamPCP. Consequently, this campaign highlights how open-source weaponization accelerates threats in the software ecosystem.
The identified packages, including “chalk-tempalte” and “axois-utils,” were uploaded by the same npm user “deadcode09284814” and remain downloadable. Analysis shows “axois-utils” delivers a Golang-based DDoS botnet called Phantom Bot, establishing persistence on Windows and Linux systems. Meanwhile, the other three packages drop stealer payloads, with “chalk-tempalte” cloning the Shai-Hulud worm to send stolen credentials to a remote server.
Interestingly, the stolen data is also exported to a public GitHub repository via API, described as “A Mini Sha1-Hulud has Appeared.” The other two packages siphon SSH keys, environment variables, cloud credentials, and cryptocurrency wallet data to specific command-and-control servers. OX Security warned that “threat actors are getting even more motivated to conduct supply chain and typo-squatting” as such attacks become easier. Users who downloaded these packages should immediately uninstall them, rotate secrets, and block network access to the suspicious domains mentioned in the reports.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
