Full Report
Plus three other stealers in three other packages, all from the same scumbag
Analysis Summary
# Tool/Technique: Shai-Hulud (& Associated Infostealers)
## Overview
This entry covers a cluster of four malicious npm packages published by a single threat actor. The campaign utilizes a clone of the "Shai-Hulud" worm alongside three other distinct infostealers and a DDoS botnet. The primary purpose is a supply-chain attack targeting developers to exfiltrate credentials, cloud configurations, and cryptocurrency assets.
## Technical Details
- **Type:** Malware Family / Infostealer / Worm / DDoS Botnet
- **Platform:** Cross-platform (Node.js environments, Linux, macOS, Windows)
- **Capabilities:** Credential theft, worm-like propagation via GitHub, cloud metadata exfiltration, crypto-wallet hijacking, and DDoS capabilities.
- **First Seen:** May 2026 (Reported by Ox Security)
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.002 - Supply Chain Compromise: Compromised Software Dependencies]
- **[TA0003 - Persistence]**
- [T1547 - Boot or Logon Autostart Execution] (Persistence mechanisms in "phantom bot")
- **[TA0007 - Discovery]**
- [T1613 - Cloud Storage Object Discovery]
- [T1046 - Network Service Scanning]
- **[TA0009 - Collection]**
- [T1555 - Credentials from Web Browsers]
- [T1552.004 - Unsecured Credentials: Private Keys]
- **[TA0010 - Exfiltration]**
- [T1567 - Exfiltration Over Web Service]
- **[TA0040 - Impact]**
- [T1498 - Network Denial of Service]
## Functionality
### Core Capabilities
- **Information Exfiltration:** Steals SSH keys, environment variables (ENV files), cloud configurations (AWS/Azure/GCP), and IP geolocation data.
- **Credential Harvesting:** Targets system secrets, browser-stored credentials, and account tokens.
- **Crypto-Theft:** Specifically scans for and exfiltrates cryptocurrency wallet files.
- **GitHub Worm (Shai-Hulud):** Spreads by creating new GitHub repositories to host stolen data and further propagate malicious code.
### Advanced Features
- **Phantom Bot (DDoS):** A Go-based component within the `axois-utils` package designed to flood targets with HTTP, TCP, UDP, and Reset requests.
- **Reverse Proxy C2:** Uses the `lhr.life` service to tunnel C2 traffic from an internal network (likely the attacker’s home setup) to the internet.
- **Persistence:** High-level persistence mechanisms that ensure the malware remains active even after the initial npm package is uninstalled.
## Indicators of Compromise
- **File Names:**
- `chalk-tempalte` (npm package)
- `@deadcode09284814/axios-util` (npm package)
- `axois-utils` (npm package)
- `color-style-utils` (npm package)
- **Network Indicators (Defanged):**
- `87e0bbc636999b[.]lhr[.]life` (C2 for Shai-Hulud clone)
- `edcf8b03c84634[.]lhr[.]life` (C2 for color-style-utils)
- `80[.]200[.]28[.]28:2222` (Exfiltration endpoint for axios-util)
- **Behavioral Indicators:**
- Unauthorized creation of GitHub repositories.
- Presence of the string: “A Mini Sha1-Hulud has Appeared” in GitHub repos or logs.
- Unusual outbound traffic to `lhr.life` subdomains.
- Modification of IDE settings or Coding Agent (e.g., Claude Code) configurations.
## Associated Threat Actors
- **TeamPCP (Affiliated/Copycat):** The campaign mimics Shai-Hulud's original author but is attributed to a separate "copycat" actor or group utilizing the same methods as announced on BreachForums.
## Detection Methods
- **Signature-based:** Search for the specific Go-based "phantom bot" binary signatures and Shai-Hulud source code strings.
- **Behavioral:** Monitor for npm install scripts (`postinstall`) that initiate network connections to non-standard domains or reverse proxy services.
- **YARA:**
- Rule targeting the string `"A Mini Sha1-Hulud has Appeared"`.
- Rule targeting Node.js exfiltration scripts looking for `.ssh/id_rsa` or `.env`.
## Mitigation Strategies
- **Prevention:** Use npm audit and tools like `socket.dev` to inspect package safety before installation.
- **Hardening:** Implement "Golden Images" for developer environments and restrict outbound network access from build servers to known-good domains.
- **Response:** If infected, uninstall the package, delete cached build artifacts, rotate all SSH keys and Cloud credentials immediately, and audit GitHub account activity.
## Related Tools/Techniques
- **Shai-Hulud:** The original worm this campaign mimics.
- **Typosquatting:** Masquerading as `chalk` and `axios`.
- **Localhost Run (lhr.life):** A legitimate surfacing tool abused for C2 obfuscation.