A threat actor using the account deadcode09284814 has published four malicious npm packages containing the leaked Shai-Hulud malware, which steals developer credentials, secrets, cryptocurrency wallet data, and account information. The packages include chalk-tempalte containing an unmodified Shai-Hulud clone, @deadcode09284814/axios-util stealing credentials and cloud configurations, axois-utils adding DDoS botnet capabilities, and color-style-utils targeting crypto wallets and IP information. The chalk-tempalte package appears to be the first documented Shai-Hulud clone deployed on npm, using an unmodified copy of leaked source code without obfuscation.
The malware exfiltrates stolen data to a command-and-control server at 87e0bbc636999b.lhr.life and retains GitHub publishing functionality that uploads credentials to public auto-generated repositories. The axois-utils package stands out by supporting HTTP, TCP, and UDP floods along with TCP reset attacks, with internal references to a "phantom bot." OXsecurity researchers noted the lack of sophistication and protection suggests a different actor from TeamPCP, which originally developed Shai-Hulud.
The original Shai-Hulud campaign has operated since September 2025, attributed to TeamPCP, stealing developer credentials to inject malware into legitimate projects. The malware code appeared on GitHub last week with a message from TeamPCP stating "Here We Go Again - Let the Carnage Continue." The four malicious packages had a combined download count of 2,678. Developers who downloaded infected packages should remove them immediately and rotate all compromised credentials and API keys.
Read more...