Full Report
Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP. The list of identified packages is below - chalk-tempalte (825 Downloads) @deadcode09284814/axios-util (284 Downloads) axois-utils (963 Downloads) color-style-utils (934 Downloads) "One of the packages (chalk-tempalte)
Analysis Summary
# Tool/Technique: Malicious npm Software Supply Chain Attack (Shai-Hulud & Phantom Bot)
## Overview
A series of malicious npm packages published by the user "deadcode09284814" designed to compromise developer environments through typo-squatting and dependency confusion. The campaign delivers two distinct types of payloads: a clone of the Shai-Hulud worm (infostealer) and the Phantom Bot (DDoS botnet).
## Technical Details
- **Type:** Malware Family (Infostealers and Botnets)
- **Platform:** Windows, Linux, and Cloud Environments
- **Capabilities:** Information theft (credentials, SSH keys, crypto wallets), persistence, DDoS (HTTP/TCP/UDP), and automated GitHub data exfiltration.
- **First Seen:** May 2026 (based on report timestamp)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0003 - Persistence]**
- [T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder]
- [T1053.005 - Scheduled Task/Job: Scheduled Task]
- **[TA0009 - Collection]**
- [T1555 - Credentials from Password Stores]
- [T1552.001 - Unsecured Credentials: Private Keys]
- **[TA0010 - Exfiltration]**
- [T1567.001 - Exfiltration Over Web Service: Exfiltration to Code Repository]
- **[TA0040 - Impact]**
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **Information Theft:** Siphons SSH keys, environment variables, cloud provider credentials, system metadata, and cryptocurrency wallet files.
- **DDoS Attacks:** The Golang-based "Phantom Bot" can initiate flood attacks using HTTP, TCP, and UDP protocols.
- **Worm-like Behavior:** Utilizing the "Shai-Hulud" code to identify and pivot to GitHub repositories.
### Advanced Features
- **Automated Data Export:** Stolen GitHub tokens are used via API to create new public repositories to host the exfiltrated data.
- **Multi-Platform Persistence:** Automatically detects OS type to either place payloads in the Windows Startup folder or create Linux scheduled tasks.
## Indicators of Compromise
- **File Names (Malicious npm Packages):**
- `chalk-tempalte`
- `@deadcode09284814/axios-util`
- `axois-utils`
- `color-style-utils`
- **Network Indicators:**
- `87e0bbc636999b.lhr[.]life` (Shai-Hulud C2)
- `80.200.28[.]28` (Infostealer C2)
- `edcf8b03c84634.lhr[.]life` (Infostealer C2)
- **Behavioral Indicators:**
- Presence of GitHub repositories titled "A Mini Sha1-Hulud has Appeared."
- Unexpected outbound traffic on port 2222.
- New scheduled tasks or entries in the Windows Startup folder not created by the administrator.
## Associated Threat Actors
- **TeamPCP:** (Original creators of Shai-Hulud; source code leaked/open-sourced).
- **deadcode09284814:** (The npm identity associated with this specific deployment).
## Detection Methods
- **Signature-based detection:** Identify the unique naming patterns in the `package.json` for the typo-squatted libraries.
- **Behavioral detection:** Monitor for development tools (like IDEs or CLI agents) attempting to make calls to unauthorized `.life` domains or creating unauthorized GitHub repositories.
- **Metadata Search:** Scanning GitHub for the specific string: "A Mini Sha1-Hulud has Appeared."
## Mitigation Strategies
- **Prevention:** Use npm audit and "dry-run" installs. Implement private registry proxies (like Artifactory or ProGet) to whitelist known-good packages.
- **Hardening:** Rotate all secrets (SSH keys, Cloud IAM tokens, GitHub PATs) if any of the listed packages were installed.
- **Monitoring:** Implement egress filtering to prevent communication with non-standard ports (e.g., port 2222) and suspicious TLDs.
## Related Tools/Techniques
- **Shai-Hulud Worm:** The source code framework used for the infostealer component.
- **Typo-squatting:** The primary delivery method (e.g., "axois" instead of "axios").