Executive Summary
A recent campaign has been identified in which four malicious npm packages were published to the official npm registry, delivering advanced infostealers and the Phantom Bot DDoS malware to unsuspecting developer environments. These packages, attributed to the user deadcode09284814, have collectively been downloaded over 3,000 times, highlighting the persistent threat of supply chain attacks in open-source ecosystems. Notably, one package is a direct clone of the Shai-Hulud worm, a sophisticated credential-stealing malware recently leaked by the cybercriminal group TeamPCP. The campaign demonstrates the rapid weaponization of leaked malware code and the increasing risk posed by typo-squatting and malicious package uploads in the JavaScript ecosystem. Organizations and developers who have installed these packages are at risk of credential theft, infrastructure compromise, and participation in distributed denial-of-service (DDoS) attacks.
Threat Actor Profile
The threat actor behind this campaign operates under the npm username deadcode09284814. Analysis of the packages and their codebase reveals a high degree of opportunism, leveraging recently leaked malware such as the Shai-Hulud worm and the Phantom Bot DDoS toolkit. The actor demonstrates technical proficiency in adapting and repackaging open-source malware for rapid deployment. The campaign appears to be inspired by a supply chain attack competition hosted on BreachForums, a well-known cybercriminal marketplace. There is no direct attribution to advanced persistent threat (APT) groups; rather, the tactics align with those of cybercriminals and hacktivists seeking to exploit the open-source software supply chain for credential harvesting and botnet expansion.
Technical Analysis of Malware/TTPs
The four malicious packages—chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils—each deliver distinct payloads with overlapping objectives: credential theft, data exfiltration, and DDoS capability.
chalk-tempalte is a near-verbatim clone of the Shai-Hulud worm, originally leaked by TeamPCP. Upon installation, it executes code that harvests credentials, including SSH keys, environment variables, and cloud provider secrets. The stolen data is exfiltrated to a remote command-and-control (C2) server at 87e0bbc636999b.lhr[.]life. Additionally, the malware leverages any available GitHub tokens to create new repositories on the victim's account, populating them with exfiltrated data and the description "A Mini Sha1-Hulud has Appeared." Persistence is achieved through scheduled tasks and startup folder modifications, mirroring the original worm's techniques.
axois-utils delivers a Golang-based variant of the Phantom Bot DDoS malware. This botnet client is capable of launching volumetric HTTP, TCP, and UDP flood attacks. It establishes persistence on both Windows (via the Startup folder and scheduled tasks) and Linux systems. While the specific C2 communication protocol is not fully disclosed, it is consistent with other Phantom Bot variants, which typically use encrypted channels and dynamic C2 endpoints.
@deadcode09284814/axios-util and color-style-utils are both infostealers. They enumerate and exfiltrate SSH keys, environment variables, cloud credentials, system information, IP addresses, and cryptocurrency wallet data. @deadcode09284814/axios-util transmits its payload to 80.200.28[.]28:2222, while color-style-utils uses edcf8b03c84634.lhr[.]life as its exfiltration endpoint.
All four packages employ obfuscation and anti-analysis techniques, including code minification and dynamic import statements, to evade static analysis and detection by automated security tools. The use of typo-squatting—registering package names similar to popular libraries—further increases the likelihood of accidental installation by developers.
Exploitation in the Wild
The malicious packages were publicly available on the npm registry and collectively downloaded over 3,000 times before being removed. The campaign's opportunistic nature means that any developer or organization installing these packages—either directly or as a transitive dependency—could be affected. The actor's rapid adoption of leaked malware code, with minimal modification, underscores the speed at which threat actors can weaponize and redeploy open-source threats. The campaign was likely catalyzed by a supply chain attack competition on BreachForums, incentivizing actors to maximize impact and visibility.
Victims include individual developers, small businesses, and potentially larger organizations whose CI/CD pipelines or developer workstations ingested the malicious packages. The exfiltration of credentials and secrets poses a significant risk of lateral movement, privilege escalation, and further compromise within affected environments. The deployment of Phantom Bot also exposes victims to legal and reputational risk, as their infrastructure may be conscripted into DDoS attacks against third parties.
Victimology and Targeting
The campaign does not appear to target specific sectors, geographies, or organizations. Instead, it leverages the global reach of the npm ecosystem to cast a wide net, affecting any developer or organization that inadvertently installs the malicious packages. The use of typo-squatting and generic package names increases the likelihood of accidental installation, particularly in fast-paced development environments where dependency hygiene may be lacking. The primary victims are developers and organizations with automated build systems, continuous integration pipelines, or insufficiently monitored dependency management practices. The theft of cloud credentials and SSH keys suggests a secondary objective of enabling further attacks against cloud infrastructure and code repositories.
Mitigation and Countermeasures
Immediate action is required for any organization or developer who has installed the affected packages. All instances of chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils must be uninstalled from all environments. A comprehensive search should be conducted for malicious configuration files and artifacts, particularly within integrated development environments (IDEs) and coding agents such as Claude Code. All potentially exposed secrets—including SSH keys, cloud provider credentials, and GitHub tokens—must be rotated without delay.
Network administrators should block outbound connections to the identified C2 domains and IP addresses: 87e0bbc636999b.lhr[.]life, edcf8b03c84634.lhr[.]life, and 80.200.28[.]28:2222. Security teams should search for GitHub repositories containing the string "A Mini Sha1-Hulud has Appeared," as this indicates successful exfiltration and compromise.
Long-term, organizations must implement strict allow-lists for npm dependencies, enforce code review and dependency validation processes, and monitor for suspicious package installations and outbound network connections. Developer education on the risks of supply chain attacks and typo-squatting is essential. Automated tooling should be deployed to detect and block known malicious packages and to alert on anomalous dependency changes in code repositories.
References
The following sources provide additional technical detail and context for this campaign:
The Hacker News: Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
OX Security Blog: New Actors Deploy Shai-Hulud Clones
BleepingComputer: Leaked Shai-Hulud malware fuels new npm infostealer campaign
Reddit: Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
MITRE ATT&CK Techniques: https://attack.mitre.org/
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their supply chain. Our advanced analytics and threat intelligence capabilities empower security teams to proactively identify and respond to emerging threats in real time, ensuring the resilience of your digital ecosystem.
For further questions or incident response support, please contact us at ops@rescana.com.
