Four Malicious npm Packages Delivering Infostealers and Phantom Bot DDoS Malware

Scope: npm Ecosystem (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils)

Severity: Red

OX Security researchers discovered four typosquatted npm packages published by the account deadcode09284814 and still live on the registry at time of reporting collectively downloaded over 3,000 times, each carrying distinct malicious payloads: chalk-tempalte contains a near-unmodified clone of the TeamPCP Shai-Hulud worm that exfiltrates stolen credentials to a C2 server and publishes them to auto-created GitHub repositories bearing the description "A Mini Sha1-Hulud has Appeared"; axois-utils installs a persistent Golang-based Phantom Bot DDoS botnet capable of HTTP, TCP, and UDP flooding that survives package deletion; and @deadcode09284814/axios-util and color-style-utils harvest SSH keys, cloud credentials, environment variables, cryptocurrency wallet data, and system information to separate attacker-controlled infrastructure. Developers who installed any of these packages should uninstall them immediately, rotate all credentials accessible from the affected environment (cloud keys, SSH, GitHub tokens, API tokens, crypto wallets), revoke exposed GitHub tokens and delete any repositories matching the Sha1-Hulud description, remove Windows Startup entries and Linux scheduled tasks added by axois-utils, and block egress to 87e0bbc636999b.lhr[.]life, 80.200.28[.]28:2222, and edcf8b03c84634.lhr[.]life.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.