Overview
- Security researchers at OX Security identified four malicious npm packages from the same publisher that include one near-verbatim Shai-Hulud clone.
- The clone, published as chalk-tempalte, sends stolen credentials to 87e0bbc636999b.lhr.life and auto-uploads them to a new public GitHub repo labeled “A Mini Sha1-Hulud has Appeared.”
- Another package, axois-utils, installs a Golang DDoS tool called Phantom Bot that can flood targets over HTTP, TCP, and UDP and persists on Windows and Linux.
- The remaining two packages, @deadcode09284814/axios-util and color-style-utils, exfiltrate SSH keys, environment variables, cloud credentials, system details, IP address, and crypto wallet data to actor-controlled endpoints, including 80.200.28.28:2222 and edcf8b03c84634.lhr.life.
- The four libraries remain available on npm with more than 2,600 combined weekly downloads, and researchers urge uninstalling them, rotating all secrets, cleaning IDEs and coding agents, auditing CI/CD tokens, and blocking the listed command-and-control domains.