Security researchers uncovered four npm packages published by the same user that drop credential‑stealers and a Golang DDoS botnet. One package is a near‑exact copy of the open‑source Shai‑Hulud worm, while the others exfiltrate SSH keys, cloud tokens and crypto wallets. The packages remain on npm, prompting immediate remediation steps for developers.
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
What happened?
Security researchers at OX Security identified four npm libraries that contain malicious payloads. All four were uploaded by the same npm user, deadcode09284814, and together they represent a coordinated supply‑chain attack targeting JavaScript developers.
| Package | Downloads (last 30 days) | Primary payload |
|---|---|---|
chalk-tempalte |
825 | Clone of the Shai‑Hulud worm (infostealer) |
@deadcode09284814/axios-util |
284 | SSH keys, env vars, cloud credentials exfiltration |
axois-utils |
963 | Golang‑based DDoS botnet – Phantom Bot |
color-style-utils |
934 | Similar stealer targeting crypto wallets |
The libraries are still publicly available on npm, meaning any developer who installed them can be compromised.
Expert context
Moshe Siman‑Tov Bustan, lead researcher at OX Security, explained that the attacker reused the Shai‑Hulud source code that was leaked by the hacking group TeamPCP just weeks earlier. “The actor took the code, and almost without any change at all — uploaded a working version with its own C2 server and private key into npm,” he said.
The malicious C2 endpoints observed in the wild are:
87e0bbc636999b.lhr.life– receives stolen credentials from the Shai‑Hulud clone.80.200.28.28:2222– receives SSH keys, cloud tokens and other secrets fromaxios-utilandcolor-style-utils.edcf8b03c84634.lhr.life– another endpoint used by the same stealer packages.
The DDoS component, Phantom Bot, is a Golang binary that can flood a target using HTTP, TCP and UDP. It achieves persistence on Windows by copying itself to the Startup folder and creating a scheduled task; on Linux it installs a systemd service.
“Threat actors are getting even more motivated to conduct supply‑chain and typo‑squatting attacks now that the Shai‑Hulud code is open source,” OX Security noted. “We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto npm, as it’s just the first phase of an upcoming wave of supply‑chain attacks.”
Why it matters
npm is a core component of modern JavaScript development pipelines. A compromised package can silently exfiltrate credentials from developers’ machines, inject malicious code into production builds, or turn a developer’s workstation into a botnet node. The impact spans:
- Credential theft – SSH keys, AWS/GCP/Azure tokens, environment variables, and cryptocurrency wallets are sent to attacker‑controlled servers.
- Infrastructure abuse – The Phantom Bot can be leveraged to launch large‑scale DDoS attacks, potentially implicating compromised developers in illegal activity.
- Supply‑chain risk – Once a malicious package is published, any downstream project that depends on it inherits the payload, amplifying the attack surface.
Practical advice for developers and security teams
- Audit recent npm installs – Check your
package-lock.jsonoryarn.lockfor any of the four package names. If found, remove them immediately and run a clean install. - Search for the malicious C2 strings – Grep your codebase and IDE configuration for
87e0bbc636999b.lhr.life,80.200.28.28:2222oredcf8b03c84634.lhr.life. Delete any matching lines. - Rotate all secrets – Assume any credential that existed on a compromised host is now exposed. Regenerate SSH keys, cloud access keys, API tokens, and update any stored passwords.
- Inspect GitHub activity – The attacker creates a public repo titled "A Mini Sha1‑Hulud has Appeared" using stolen GitHub tokens. Search your organization’s repositories for that exact phrase and delete any rogue repos.
- Block network traffic – Add firewall rules to deny outbound connections to the identified C2 domains and IPs. This stops exfiltration and botnet callbacks.
- Enable npm package signing – Consider using npm’s package‑signing feature to verify the integrity of future dependencies.
- Adopt a Software Bill of Materials (SBOM) – Tools like Syft or GitHub’s Dependency Graph can surface unexpected dependencies early in the CI/CD pipeline.
- Monitor for unusual process activity – On Windows, watch for new entries in the Startup folder or scheduled tasks that point to unknown executables. On Linux, look for unexpected systemd services.
What to do if you’ve already been infected
- Run a full anti‑malware scan with a tool that can detect Go binaries (e.g., Malwarebytes).
- Delete the malicious binaries from the Startup folder (
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup) and remove any scheduled tasks created underTask Scheduler. - Re‑clone any affected repositories after revoking compromised credentials and verifying the integrity of the source code.
Looking ahead
The rapid reuse of open‑source malware like Shai‑Hulud signals a shift toward low‑effort, high‑impact supply‑chain attacks. Organizations should treat every third‑party package as a potential attack vector and enforce strict verification processes.
For ongoing coverage of npm supply‑chain threats, follow OX Security’s blog and consider subscribing to npm’s security mailing list.
Stay vigilant, keep your dependencies clean, and rotate secrets often.
Comments
Please log in or register to join the discussion