Supply Chain Compromise: art-template NPM Package Weaponized to Deliver Coruna iOS Exploits

In a sophisticated supply-chain attack, threat actors have compromised the widely utilized art-template npm package, transforming a trusted JavaScript templating engine into a stealthy delivery mechanism for advanced mobile exploits. The campaign specifically targets Safari users on iOS, leveraging a watering-hole strategy to deploy the Coruna-class exploit framework.

The art-template library, originally maintained by the developer “aui,” serves a massive footprint across both domestic Chinese and international web ecosystems. Following a takeover of the project’s maintenance rights, the new actor began publishing malicious updates while actively suppressing community warnings by deleting suspicious GitHub issues—a classic indicator of an adversary attempting to mask the lifecycle of a compromise.

Technical Breakdown of the Injection Vector

The compromise progressed through several stages of increasing visibility and aggression across specific version releases:

  • Version 4.13.3: Employed stealth via String.fromCharCode to reconstruct a script URL. This obfuscated the initial network request to git.youzzjizz[.]com/git.js, making it harder for static analysis tools to flag the malicious connection.
  • Versions 4.13.5 and 4.13.6: Dropped the obfuscation layers in favor of direct execution. These builds appended a loadScript call to the end of lib/template-web.js, which pulls secondary payloads from v3.jiathis[.]com/code/art.js.

According to threat research from Socket, the attacker claimed to be providing maintenance for the unmaintained library before immediately weaponizing the codebase. Any web application bundling these specific browser builds effectively becomes a silent host for a browser-side exploit loader, granting attackers the ability to execute arbitrary JavaScript in the context of every visitor’s browser.

The Watering-Hole and Coruna Exploit Framework

The malicious loader does not carry the exploit payload itself. Instead, it functions as a redirector to a dedicated watering-hole host located at utaq[.]cfww[.]shop/gooll/gooll.html. This page hosts a heavily obfuscated JavaScript implant (49554fde7424c31c.js) designed to perform high-precision target filtering.

To maintain a low profile and avoid detection by security researchers using desktop environments or automated crawlers, the implant utilizes strict environmental fingerprinting. It specifically targets Safari on iOS versions 11.0 through 17.2. It explicitly rejects connections from Chrome, Firefox, Edge, Android, and even newer versions of iOS (17.3+), where the critical WebKit vulnerabilities utilized by this chain have been patched.

Technical indicators strongly suggest the implant is a derivative of the Coruna iOS exploit kit. The code exhibits several signature patterns associated with Coruna, including:

  • SHA-256–based content-addressed URLs generated from a unique “session key.”
  • XOR-encoded strings and numeric constants used for payload decryption.
  • The use of dynamically generated 15-character .xyz command-and-control (C2) domains (e.g., l1ewsu3yjkqeroy[.]xyz).

Before deployment, the framework executes an intensive anti-bot suite. This includes user-agent scrutiny, WebGL/WebRTC fingerprinting, MathML rendering checks, IndexedDB behavior analysis, and a custom WebAssembly proof-of-work test designed to validate genuine Safari JIT (Just-In-Time) compilation capabilities.

Mitigation and Defense Strategies

Because this attack lives within the dependency tree, developers may be compromised without modifying a single line of their own application code. To defend against this vector, organizations should adopt the following posture:

  • Dependency Pinning: Avoid using range operators (like ^ or ~) for critical packages. Pin to known-good, audited versions.
  • Artifact Auditing: Monitor build artifacts for unexpected remote script injections or calls to unknown domains.
  • Network Egress Filtering: Block traffic to identified malicious domains, including v3.jiathis[.]com, utaq[.]cfww[.]shop, and l1ewsu3yjkqeroy[.]xyz.
  • Patch Management: Ensure all mobile endpoints are updated to iOS 17.3 or later to mitigate the underlying WebKit vulnerabilities.

Indicators of Compromise (IOCs)

Compromised Package Details

Affected Versions: art-template 4.13.3, 4.13.5, 4.13.6

File Hashes: Entry Point (49554fde7424c31c.js)

  • SHA-256: f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c
  • SHA-1: 8064d4e0322f069b3dba13e7957ff0ca7dab7984
  • MD5: 6e79ae622b7ef30f31fdbcc2dc65339e

File-Based Indicators

  • Delivered Filename: 49554fde7424c31c.js
  • Decoded Name: 7a7d99099b035b2c6512b6ebeeea6df1ede70fbb.min.js (via uint32 packer)
  • Session Key: cecd08aa6ff548c2 (Used in remote module GET paths)
  • Global Dispatcher: obChTK (Injected into globalThis)
  • Obfuscation Functions: fqMaGkN4, fqMaGkNR, fqMaGkNK, fqMaGkNr
  • Anti-Bot Artifacts: ldm_mml_t (MathML ID); _ldm_ (Transient IndexedDB name)

Note: IP addresses and domains have been defanged for safety. Do not attempt to resolve these in a production environment; use a dedicated threat intelligence platform.

Related Articles

Back to top button