Bright Nexus

Published on May 18, 2026

Four Malicious npm Packages Used to Spread Infostealers and Phantom Bot DDoS Malware

Severity
Medium

Detail

Cybersecurity researchers have identified four newly discovered malicious npm packages that were used to distribute information-stealing malware, with one of them appearing to be a direct copy of the Shai-Hulud worm source code that had been shared by TeamPCP. The affected packages include: –

  • chalk-tempalte (825 downloads),
  • @deadcode09284814/axios-util (284 downloads)
  •  axois-utils (963 downloads)
  • color-style-utils (934 downloads).

According to analysis, the chalk-tempalte package contains a near-verbatim clone of the leaked Shai-Hulud code, which was reportedly reused and republished with minimal changes along with a custom command-and-control server and private key.

How?

The attack operates as a supply chain compromise where malicious code is hidden inside npm packages that appear legitimate. Once installed, the packages execute embedded malicious scripts that either steal sensitive data or deploy botnet functionality. Different packages published under the same npm user were observed to carry different payloads, showing varied attack techniques from a single source.

 In some cases, the stolen credentials are transmitted to remote command-and-control servers, while in others, the malware focuses on harvesting system and cloud-related secrets. The reuse of the publicly leaked Shai-Hulud worm code also indicates that the attacker modified and redeployed existing malware with minimal effort, accelerating the attack development process.

Impact

The malicious packages introduce different types of harmful payloads depending on the library. One of the packages, axois-utils, was found to deploy a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, which is capable of launching traffic floods using HTTP, TCP, and UDP protocols against targeted systems. It also establishes persistence mechanisms on infected Windows and Linux devices by placing payloads in the Windows Startup folder and creating scheduled tasks.

The remaining packages are designed to act as infostealers, extracting sensitive information such as SSH keys, environment variables, cloud credentials, system data, IP addresses, and cryptocurrency wallet information, which are then exfiltrated to external servers controlled by the attacker. In addition, stolen GitHub tokens are used to create public repositories containing the exfiltrated data, including one titled “A Mini Sha1-Hulud has Appeared.

Recommendation

Users and organizations are strongly advised to:

  • Immediately uninstall any of the affected packages if installed.
  • Review development environments, IDEs, and automation tools (including coding agents) for malicious configurations.
  • Rotate all exposed credentials, including SSH keys, cloud secrets, and API tokens.
  • Audit GitHub repositories for suspicious entries, especially those containing the phrase “A Mini Sha1-Hulud has Appeared.”
  • Block network traffic to known malicious domains and IP addresses associated with the campaign.
  • Strengthen npm supply chain security practices, including dependency auditing and version pinning.

Conclusion

This incident highlights the increasing risk of npm supply chain attacks, where attackers leverage open-source ecosystems to distribute infostealers and botnet malware. The reuse of leaked malware code demonstrates how quickly threats can evolve when malicious tools become publicly accessible. Organizations should enhance monitoring, enforce strict dependency controls, and rapidly respond to suspicious package activity to reduce exposure to similar attacks.

Source

https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html