CYBERSECURITY researchers have flagged four new npm packages that carry information-stealing malware, with one package containing a direct clone of the Shai-Hulud worm released by TeamPCP. The identified packages and download counts are chalk-tempalte (825 Downloads), @deadcode09284814/axios-util (284 Downloads), axois-utils (963 Downloads), and color-style-utils (934 Downloads).
According to OX Security, the malicious payloads differ across the four packages, yet they were published by the same npm user, deadcode09284814, and remain downloadable at the time of writing. An analysis showed that axois-utils is designed to deliver a Golang-based distributed denial-of-service botnet called Phantom Bot, capable of flooding target websites via HTTP, TCP and UDP, and it persists on Windows and Linux by adding to the Startup folder and creating a scheduled task.
The other two drop a stealer payload, while chalk-tempalte mimics the Shai-Hulud worm, with stolen credentials sent to a remote C2 server at 87e0bbc636999b.lhr[.]life and data exfiltrated to a new GitHub repository using a stolen token. Users are advised to uninstall these packages and rotate secrets.