Four Malicious Npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

The JavaScript package ecosystem has become a prime target for supply‑chain attacks, and the recent discovery of four malicious npm modules underscores the accelerating risk. As developers increasingly rely on open‑source libraries to accelerate product cycles, attackers exploit the trust placed in the npm registry to inject code that runs on countless machines. The availability of the Shai‑Hulud worm source on public forums has lowered the barrier for creating functional malware, turning a previously sophisticated exploit into a commodity that can be repackaged with minimal effort.

The four packages—chalk‑tempalte, @deadcode09284814/axios‑util, axois‑utils, and color‑style‑utils—were published by a single npm user and collectively delivered two distinct threat families. Chalk‑tempalte contains an almost verbatim copy of the Shai‑Hulud code, redirecting stolen credentials to a dedicated command‑and‑control domain. Axois‑utils installs a Golang‑based Phantom Bot capable of HTTP, TCP and UDP flooding, persisting via Windows startup entries and Linux scheduled tasks. The remaining libraries harvest SSH keys, environment variables, cloud provider tokens and cryptocurrency wallet information, exfiltrating the data to separate malicious servers.

Security teams should treat any npm package with unexpected network calls as high risk, and organizations must adopt automated provenance checks to detect tampering before code reaches production. Immediate remediation includes uninstalling the affected modules, purging malicious configuration from development environments, rotating all compromised secrets, and blocking the identified C2 domains and IP addresses. The episode signals a broader shift toward commoditized supply‑chain weaponization, where open‑source leaks accelerate the volume of attacks. Continuous monitoring of package registries and strict dependency hygiene will be essential to safeguard the software supply chain moving forward.