Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalware
Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

The Hacker News reports the discovery of four new npm packages embedding information-stealing malware. One of these, chalk-tempalte, is a direct clone of the open-source Shai-Hulud worm developed by TeamPCP. The other identified malicious packages are @deadcode09284814/axios-util, axois-utils, and color-style-utils.

These packages deliver both infostealers and Phantom Bot DDoS malware, posing a dual threat. The infostealers aim to exfiltrate sensitive data, while the DDoS component prepares compromised systems for denial-of-service attacks. The download counts for these packages—ranging from 284 to 963—indicate a concerning level of adoption before discovery.

This incident underscores the persistent supply chain risk within public package registries like npm. Attackers are constantly leveraging typosquatting and legitimate-looking package names to trick developers into integrating malicious code. It’s a low-cost, high-impact attack vector that bypasses traditional perimeter defenses.

What This Means For You

  • If your development teams use npm, you need to audit your dependencies immediately. Scrutinize `package.json` files for `chalk-tempalte`, `@deadcode09284814/axios-util`, `axois-utils`, and `color-style-utils`. Even if downloads seem low, the impact of an infostealer or DDoS bot is severe. Implement strict dependency review processes and consider private registries for critical projects to mitigate this supply chain risk.

Related ATT&CK Techniques

T1195.002 Compromise Software Supply Chain Initial Access T1071.004 Web Protocols Command and Control T1555 Credentials from Password Stores Credential Access

🛡️ Detection Rules

4 rules · 6 SIEM formats

4 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1505 Persistence

Malicious npm package installation - chalk-tempalte

Sigma YAML — free preview

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
npm-malware-2026-05 Information Disclosure npm package: chalk-tempalte
npm-malware-2026-05 Information Disclosure npm package: @deadcode09284814/axios-util
npm-malware-2026-05 Information Disclosure npm package: axois-utils
npm-malware-2026-05 Information Disclosure npm package: color-style-utils
npm-malware-2026-05 DoS Phantom Bot DDoS Malware

Written by SCW Vulnerability Desk

Take action on this incident
🔍 Threat intel on TeamPCP All breaches, IOCs & vendor exposure

Related coverage on TeamPCP

Microsoft Open-Sources RAMPART and Clarity for AI Agent Security

Microsoft has released two new open-source tools, RAMPART and Clarity, designed to enhance the security testing of AI agents during development. According to The Hacker...

threat-intelvulnerabilitymicrosoftai-securitytools
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs

Grafana Breach: Missed Token Rotation After TanStack Supply Chain Attack

BleepingComputer reports that the recent Grafana data breach stemmed from a single GitHub workflow token that was not rotated following the TanStack npm supply-chain attack....

threat-inteldata-breachmalwaretools
/SCW Research /MEDIUM /⚙ 3 Sigma

AI-Powered Attacks Accelerate Mobile App Exploitation

Agentic AI is fundamentally reshaping the mobile application threat landscape, according to a recent report highlighted by SecurityWeek. This advanced AI capability has effectively eliminated...

threat-intelvulnerabilitytools
/SCW Vulnerability Desk /MEDIUM