Close Menu
    What's Hot

    Pete Hegseth’s Plan for ‘High T’ Troops Is a Junk Science Fever Dream

    Truth Social Parent to Sell Faster Access to Trump’s Posts

    Ocado Group plc (OCDDY) Q2 2026 Earnings Call Transcript

    Facebook X (Twitter) Instagram
    Trending
    • Pete Hegseth’s Plan for ‘High T’ Troops Is a Junk Science Fever Dream
    • Truth Social Parent to Sell Faster Access to Trump’s Posts
    • Ocado Group plc (OCDDY) Q2 2026 Earnings Call Transcript
    • Kobbie Mainoo: England boss Thomas Tuchel was unimpressed by unused Manchester United midfielder during World Cup training – Paper Talk | Football News
    • The AI context gap: Enterprise AI organizations have a trust problem, not a retrieval problem — and most are still building the fix
    • Trump Administration Restricts Green Cards for Immigrants on Public Assistance
    • Venezuela earthquake: Number of known dead rises to nearly 5,000 victims | Earthquakes News
    • San Francisco mayor pushes for tougher rules after the Waymo traffic fiasco
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

    adminBy adminMay 18, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananMay 18, 2026Supply Chain Attack / Botnet

    Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

    Cybersecurity researchers have discovered four new npm packages containing information-stealing malware, one of which is a clone of the Shai-Hulud worm open-sourced by TeamPCP.

    The list of identified packages is below –

    • chalk-tempalte (825 Downloads)
    • @deadcode09284814/axios-util (284 Downloads)
    • axois-utils (963 Downloads)
    • color-style-utils (934 Downloads)

    “One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after,” OX Security’s Moshe Siman Tov Bustan said.

    Interestingly, the malicious payloads embedded into the four npm packages are different, despite them being published by the same npm user, “deadcode09284814.” As of writing, the four libraries are still available for download from npm.

    Cybersecurity

    An analysis of the packages has revealed that “axois-utils” is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, with capabilities to flood a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task. 

    The remaining three drop a stealer payload on compromised systems. Of the three packages, the “chalk-tempalte” package contains a clone of the Shai-Hulud worm released by TeamPCP.

    “The actor took the code, and almost without any change at all — uploaded a working version with its own C2 server and private key into npm,” OX Security said. “The stolen credentials are sent to the remote C2 server — 87e0bbc636999b.lhr[.]life”

    In addition, the data is exported to a new GitHub public repository using the stolen GitHub token via the API. The repository is given the description “A Mini Sha1-Hulud has Appeared.”

    The other two npm packages, “@deadcode09284814/axios-util” and “color-style-utils,” carry a more straightforward functionality that siphons SSH keys, environment variables, cloud credentials, system information, IP address, and cryptocurrency wallet data to “80.200.28[.]28:2222” and “edcf8b03c84634.lhr[.]life,” respectively.

    “Threat actors are getting even more motivated to conduct supply chain and typo-squatting, as attacks become easier to perform with the Shai-Hulud code becoming open source,” OX Security said.  “We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto npm, as it’s just the first phase of an upcoming wave of supply chain attacks coming.”

    Users who have downloaded the packages are uninstall them immediately, find and delete malicious configuration from IDEs and coding agents like Claude Code, rotate secrets, check for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared,” and block network access to suspicious domains.

    Bot DDoS Deliver Infostealers malicious Malware npm Packages Phantom
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous Articletried and tested – The Mail & Guardian
    Next Article Dyson’s super-slim PencilWash just hit its best price to date for Memorial Day
    admin
    • Website

    Related Posts

    20+ Hijacked Government Websites Became
an Attack Channel

    July 16, 2026

    New ClickLock macOS Stealer Kills Apps Every 210ms Until Victims Type Their Password

    July 16, 2026

    Two Scattered Spider Hackers Get 5.5 Years Each for £29 Million TfL Hack

    July 16, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Pete Hegseth’s Plan for ‘High T’ Troops Is a Junk Science Fever Dream

    Truth Social Parent to Sell Faster Access to Trump’s Posts

    Ocado Group plc (OCDDY) Q2 2026 Earnings Call Transcript

    Kobbie Mainoo: England boss Thomas Tuchel was unimpressed by unused Manchester United midfielder during World Cup training – Paper Talk | Football News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by