18.05.2026
4 min
141
Cybersecurity experts have discovered four malicious packages in npm that were used to steal data and deploy a DDoS botnet. One of them contained a nearly complete copy of the open source Shai-Hulud worm recently published by TeamPCP.
List of malicious software identified via npm packages:
chalk-template(825 downloads)
@deadcode09284814/axios-util (284 downloads)
axios-utils (963 downloads)
color-style-utils (934 downloads)
As reported by OX Security, the above mentioned packages were each published by one individual with an npm user account nicknamed “deadcode09284814” however, they delivered multiple types of malicious payload. As of today’s publishing date, the packages remain active for download through the npm library.
The researchers identified the malicious packages as follows:
chalk-tempalte
@deadcode09284814/axios-util
axois-utils
color-style-utils
OX Security stated that the “chalk-tempalte” package simply copies the code for the Shai-Hulud worm created by TeamPCP when it was released publicly last week.
“The threat actor took the code, modified it to include his own C2 server and private key and then uploaded it to npm nearly unchanged.”
Based upon their research, they believe the posting of the malicious codes on BreachForum may be connected to a supply chain attack challenge that appeared there shortly after TeamPCP made the Shai-Hulud code public.
Their analysis revealed that the “axois-utils” package contains the Phantom Bot DDoS botnet. It is built in GoLang and can issue HTTP, TCP, or UDP attacks against targets. Additionally, it can also establish infections on Windows and Linux platforms. To ensure that the botnet remains persistent, it will add itself to Windows start-up and will also create scheduled tasks. The two additional packages provide the function of stealing sensitive information from systems infected with the malware. Specifically, “chalk-tempalte”, in addition to launching a clone of the Shai-Hulud worm, transmits stolen credentials to a remote C2 server located at 87e0bbc636999b.lhr[.]life. Furthermore, the malware utilizes the stolen GitHub tokens to generate new public GitHub repositories utilizing the API. Once generated, the repositories contain the default description of:
“A Mini Sha1-Hulud has Appeared.”
The other two packages, “@deadcode09284814/axios-util,” and “color-style-utils” provide less complex functions than the previously described packages. Both packages will capture and transmit SSH keys, environment variables, IP addresses, system information, cloud credentials and crypto-wallet data to the servers located at 80.200.28[.]28:2222 and edcf8b03c84634.lhr[.]life respectively.
