Supply Chain Alert: New npm Campaign Weaponizes Leaked Shai-Hulud Malware via Typosquatting

A sophisticated supply chain attack campaign has been detected targeting the JavaScript development ecosystem. Within the last 24 hours, security researchers at OX Security identified a cluster of four malicious npm packages designed to exfiltrate high-value assets, including SSH private keys, cloud provider credentials (AWS, Azure, GCP), and cryptocurrency wallet data.

The campaign utilizes classic typosquatting—a technique where attackers register package names that are slight misspellings of popular libraries—to trick developers into accidental installation. These packages were all published under a single npm account and have already garnered over 2,600 weekly downloads, indicating significant successful infection rates.

The identified malicious packages are:

  • @deadcode09284814/axios-util
  • axois-utils
  • chalk-tempalte
  • color-style-utils

Security analysts warn that the compromise is near-instantaneous; every version of these packages contains embedded infostealer logic that executes upon installation.

The Shai-Hulud Connection: Opportunistic Malware Reuse

One of the most alarming technical findings is located within the chalk-tempalte package. Analysis reveals it contains a near-identical clone of the Shai-Hulud malware. This specific strain was recently leaked by the group TeamPCP, providing a blueprint for low-effort, high-impact exploitation.

According to a detailed report from OX Security, the attacker behind this package appears to be an opportunistic actor rather than a highly sophisticated developer. The leaked source code was integrated with minimal modification, leaving much of the logic and structure un-obfuscated. This “copy-paste” approach allows threat actors to deploy advanced capabilities without needing deep expertise in malware development.

The Shai-Hulud variant functions as a comprehensive infostealer. It harvests environment variables, system credentials, and crypto assets, transmitting them to a command-and-control (C2) server hosted at 87e0bbc636999b.lhr.life. Furthermore, the malware mirrors the original’s behavior by exfiltrating collected data to attacker-controlled GitHub repositories.

Technical Analysis of the npm malware (Source: OX Security).
Technical Analysis of the npm malware (Source: OX Security).

Multi-Vector Attack Strategy: From Data Theft to Botnet Deployment

The campaign is not limited to simple data theft; it employs a multi-functional strategy to maximize the utility of the compromised infrastructure.

1. Cloud and Infrastructure Harvesting:
The @deadcode09284814/axios-util package is purpose-built for lateral movement. It targets SSH keys and cloud credentials for AWS, Google Cloud, and Azure. The exfiltrated data is sent via port 2222 to a remote IP address (80.200.28.28), providing attackers with the “keys to the kingdom” for cloud environments.

2. Persistence and DDoS Capabilities:
The axois-utils package introduces a significantly more aggressive component: a “phantom bot.” This component, partially written in Go, is designed to establish persistent access on the host machine, ensuring the malware remains active even if the initial npm package is uninstalled.

Analysis of the local bot service (Source: OX Security).
Analysis of the local bot service (Source: OX Security).

This bot transforms the victim’s machine into a node within a distributed botnet. This allows the threat actor to launch various types of Distributed Denial of Service (DDoS) attacks, including HTTP, TCP, UDP, and reset-based flooding.

3. Lightweight Intelligence Gathering:
The color-style-utils package serves as a simpler, low-noise infostealer. It focuses on geolocation, IP intelligence, and cryptocurrency wallet details, exfiltrating this data to edcf8b03c84634.lhr.life. The lack of complex evasion techniques here suggests a “quantity over quality” approach to deployment.

Analysis of color-style-utils (Source: OX Security).
Analysis of color-style-utils (Source: OX Security).

Incident Response and Mitigation

This campaign highlights the critical vulnerability of the modern software supply chain to typosquatting. When developers work in high-pressure environments, a single keystroke error can lead to total system compromise.

Immediate Action Items for Developers and DevOps Teams:

  • Audit Dependencies: Check your package.json and lockfiles for the malicious packages listed above.
  • Immediate Removal: If any of these packages are found, uninstall them immediately.
  • Credential Rotation: Assume all environment variables, SSH keys, and cloud credentials (AWS, GCP, Azure) present on the infected machine are compromised. Rotate them immediately.
  • Persistence Hunting: Inspect system processes for unauthorized Go-based binaries or suspicious background services that may have been installed by the “phantom bot.”
  • Indicator of Compromise (IoC) Scanning: Scan your repositories and local file systems for the specific string: “A Mini Sha1-Hulud has Appeared”.

As malware becomes increasingly “democratized” through public leaks, the necessity for rigorous dependency verification and the use of automated Software Supply Chain Security tools has never been more vital.

Related Articles

Back to top button