Leaked Shai-Hulud malware fuels new npm infostealer campaign
Source: Bleeping Computer
New npm infostealer campaign using leaked Shai‑Hulud malware
The Shai‑Hulud malware that was leaked last week is now being leveraged in fresh attacks against the Node Package Manager (npm) ecosystem. Over the weekend, a threat actor operating the npm account deadcode09284814 published four malicious packages, one of which contains a non‑obfuscated copy of Shai‑Hulud. The malware targets developer credentials, secrets, cryptocurrency wallet data, and other account information. All four packages exfiltrate data, and one also turns the infected host into a bot for distributed denial‑of‑service (DDoS) attacks.
Malicious packages published
The attacker used typo‑squatting names aimed at Axios users, as well as generic names:
- chalk-tempalte – Shai‑Hulud clone (information stealer)
- @deadcode09284814/axios-util – Credential and cloud‑config stealer
- axois-utils – Infostealer + persistent DDoS botnet (“phantom bot”)
- color-style-utils – Basic infostealer targeting crypto wallets and IP info
chalk‑tempalte
- Contains an almost exact copy of the leaked Shai‑Hulud source code, attributed to the TeamPCP hacker group.
- No obfuscation or additional protection is applied; the code is a direct, unmodified copy.
- The package uploads stolen credentials to public, auto‑generated GitHub repositories.
axois‑utils
- In addition to the standard information‑stealing functionality, this package includes DDoS capabilities.
- Supports HTTP, TCP, and UDP floods, as well as TCP reset attacks.
- Internal references to a “phantom bot” were observed.
Technical details
The malware exfiltrates data to a command‑and‑control (C2) server at:
87e0bbc636999b.lhr.lifeIt retains the original GitHub publishing functionality, automatically creating public repositories to store stolen credentials.
DDoS attack code – Source: OXsecurity
The broader Shai‑Hulud campaign has been active since September 2025, injecting malicious code into legitimate npm packages, stealing publishing‑rights credentials, and exposing the harvested data in public GitHub repositories. The campaign has been linked to the TeamPCP hacker group.
Impact and recommendations
- The four malicious packages have a combined download count of 2,678.
- Developers who have installed any of these packages should remove them immediately and rotate all credentials and API keys on affected systems.
References
-
OXsecurity blog – New actors deploy Shai‑Hulud clones, TeamPCP copycats are here
-
OXsecurity analysis of the original Shai‑Hulud source code
-
Historical coverage of the Shai‑Hulud campaign (since September 2025)