The Worm Crawls Back into npm

Javier Conejo del Cerro
hace 5 días
2 Min. de lectura

The discovery of four malicious npm packages distributing infostealers and DDoS malware highlights how threat actors are increasingly weaponizing the trust developers place in open-source ecosystems. The packages — “chalk-tempalte,” “@deadcode09284814/axios-util,” “axois-utils,” and “color-style-utils” — were all uploaded under the same npm account and disguised as harmless development utilities. Even with relatively low download counts, a single compromised developer workstation can expose CI/CD pipelines, production environments, cloud infrastructure, and privileged organizational credentials.

Phase 1: Typosquatting & Developer Deception

The campaign became especially notable because one of the packages directly cloned the recently leaked Shai-Hulud worm source code released by TeamPCP. Researchers believe the actor rapidly repurposed the publicly available malware to launch a real-world supply chain campaign, demonstrating how leaked offensive tooling is lowering the barrier for future attacks targeting software ecosystems.

Phase 2: Persistence & Payload Deployment

Each package delivered a different malicious payload. The package “axois-utils” deployed Phantom Bot, a Golang-based DDoS malware capable of launching HTTP, TCP, and UDP flood attacks against remote targets. The malware also established persistence mechanisms on both Windows and Linux systems to survive reboots and remain active on compromised hosts.

The remaining packages focused on credential theft and data exfiltration. “chalk-tempalte” embedded a near-identical version of the Shai-Hulud worm, modified only to communicate with attacker-controlled infrastructure. Once executed, the malware harvested sensitive credentials and exported stolen data to remote command-and-control servers and automatically created public GitHub repositories through the GitHub API under the description “A Mini Sha1-Hulud has Appeared.”

Meanwhile, “@deadcode09284814/axios-util” and “color-style-utils” targeted SSH keys, environment variables, cloud credentials, cryptocurrency wallet data, system information, and public IP addresses, sending the information to attacker-controlled servers.

Phase 3: Supply Chain Escalation

The victims of these attacks are primarily developers and organizations relying heavily on npm and open-source software repositories. Modern developer environments often contain privileged infrastructure access, making software engineers high-value targets for cybercriminal operations focused on lateral movement and cloud compromise.

The campaign also reflects a broader trend across the threat landscape: attackers are increasingly combining typosquatting, open-source malware, automated credential theft, and persistence mechanisms into scalable supply chain operations. The public release of offensive tooling like Shai-Hulud significantly accelerates this process, allowing threat actors to rapidly adapt leaked malware into operational campaigns with minimal modifications.

Researchers warn that this activity may represent only the beginning of a much larger wave of npm supply chain attacks fueled by publicly available malware frameworks and increasingly aggressive threat actors targeting development ecosystems.