New npm Supply Chain Attack Targets Developers with Malicious Packages
A recent supply chain attack campaign has been uncovered in the npm ecosystem, with four malicious packages designed to steal sensitive data, including SSH keys, cloud credentials, and cryptocurrency wallets. Discovered by OX Security within the last 24 hours, the attack highlights the risks of typosquatting and the rapid weaponization of leaked malware.
The packages @deadcode09284814/axios-util, axois-utils, chalk-tempalte, and color-style-utils were published under a single npm account and collectively amassed over 2,600 weekly downloads. All versions of these packages contain embedded infostealer functionality, ensuring immediate compromise upon installation.
The most notable package, chalk-tempalte, contains a near-identical clone of the Shai-Hulud malware, which was leaked publicly just days earlier by TeamPCP. The attacker behind this package appears to have copied the source code with minimal modifications, leaving it unobfuscated a departure from the original developers’ approach. The malware exfiltrates stolen data to a command-and-control (C2) server at 87e0bbc636999b.lhr.life and also uploads it to attacker-controlled GitHub repositories.
The other packages demonstrate varying attack strategies:
- @deadcode09284814/axios-util harvests SSH keys, environment variables, and cloud credentials (AWS, Google Cloud, Azure), sending them to a remote server at 80.200.28.28:2222.
- axois-utils deploys a "phantom bot" written partially in Go, establishing persistence on infected systems and converting them into DDoS botnet nodes capable of HTTP, TCP, UDP, and reset-based flooding attacks.
- color-style-utils acts as a simpler infostealer, collecting IP addresses, geolocation data, and cryptocurrency wallet details, transmitting them to edcf8b03c84634.lhr.life.
The campaign likely relies on typosquatting, exploiting slight misspellings of popular packages (e.g., Axios) to trick developers into accidental installations. The lack of obfuscation suggests the attacker prioritized speed over stealth, further indicating opportunistic reuse of leaked malware.
This incident underscores how quickly threat actors can repurpose leaked code, amplifying risks in the software supply chain. Developers are advised to uninstall affected packages, rotate exposed credentials, and scan for persistence mechanisms, including the string "A Mini Sha1-Hulud has Appeared" in repositories.
Source: https://gbhackers.com/malicious-npm-packages-2/
npm TPRM report: https://www.rankiteo.com/company/npm-inc-
Unknown Developer Organizations TPRM report: https://www.rankiteo.com/company/unknowncyber
"id": "npmunk1779085557",
"linkid": "npm-inc-, unknowncyber",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Over 2,600 weekly downloads '
'(potential installations)',
'industry': 'Software Development',
'location': 'Global',
'name': 'npm Developers',
'type': 'Developers/Organizations'}],
'attack_vector': 'Malicious npm Packages (Typosquatting)',
'customer_advisories': 'Developers are advised to uninstall the malicious '
'packages and rotate exposed credentials.',
'data_breach': {'data_exfiltration': 'Yes (to C2 servers and GitHub '
'repositories)',
'personally_identifiable_information': 'Yes (credentials, IP '
'addresses, '
'geolocation)',
'sensitivity_of_data': 'High (credentials, PII, financial '
'data)',
'type_of_data_compromised': ['SSH keys',
'Cloud credentials (AWS, Google '
'Cloud, Azure)',
'Cryptocurrency wallets',
'Environment variables',
'IP addresses',
'Geolocation data']},
'description': 'A recent supply chain attack campaign has been uncovered in '
'the npm ecosystem, with four malicious packages designed to '
'steal sensitive data, including SSH keys, cloud credentials, '
'and cryptocurrency wallets. The packages '
'@deadcode09284814/axios-util, axois-utils, chalk-tempalte, '
'and color-style-utils were published under a single npm '
'account and collectively amassed over 2,600 weekly downloads. '
'The attack highlights the risks of typosquatting and the '
'rapid weaponization of leaked malware.',
'impact': {'brand_reputation_impact': 'Risk to developer trust in npm '
'ecosystem',
'data_compromised': 'SSH keys, cloud credentials (AWS, Google '
'Cloud, Azure), cryptocurrency wallets, '
'environment variables, IP addresses, '
'geolocation data',
'identity_theft_risk': 'High (PII and credentials exposed)',
'operational_impact': 'Potential DDoS botnet recruitment, data '
'exfiltration',
'payment_information_risk': 'High (cryptocurrency wallets '
'targeted)',
'systems_affected': 'Developer systems, npm ecosystem'},
'initial_access_broker': {'backdoors_established': 'Yes (phantom bot '
'persistence)',
'entry_point': 'Typosquatted npm packages',
'high_value_targets': 'Developers, cloud '
'environments'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Threat actors can rapidly repurpose leaked malware, '
'amplifying risks in the software supply chain. '
'Typosquatting remains a significant risk in package '
'ecosystems.',
'motivation': 'Data Theft, Botnet Recruitment, Financial Gain',
'post_incident_analysis': {'corrective_actions': 'Enhanced npm package '
'vetting, developer '
'education on typosquatting, '
'monitoring for leaked '
'malware reuse',
'root_causes': 'Typosquatting, rapid weaponization '
'of leaked malware (Shai-Hulud), '
'lack of obfuscation in malicious '
'packages'},
'recommendations': ['Uninstall affected packages immediately',
'Rotate all exposed credentials (SSH keys, cloud '
'credentials)',
"Scan systems for persistence mechanisms (e.g., 'A Mini "
"Sha1-Hulud has Appeared')",
'Monitor for unusual network traffic to C2 servers',
'Educate developers on typosquatting risks'],
'references': [{'source': 'OX Security'},
{'source': 'TeamPCP (Shai-Hulud malware leak)'}],
'response': {'communication_strategy': 'Advisories to developers to uninstall '
'packages and rotate credentials',
'containment_measures': 'Uninstall affected packages, rotate '
'exposed credentials',
'remediation_measures': 'Scan for persistence mechanisms (e.g., '
"'A Mini Sha1-Hulud has Appeared')",
'third_party_assistance': 'OX Security (discovery)'},
'stakeholder_advisories': 'Developers and organizations using npm packages '
'should review their dependencies for typosquatting '
'risks.',
'title': 'New npm Supply Chain Attack Targets Developers with Malicious '
'Packages',
'type': 'Supply Chain Attack'}