Cybersecurity experts have identified four npm packages harboring information-stealing malware, with one being a replica of the Shai-Hulud worm. This worm was previously made open source by TeamPCP. The packages in question include ‘chalk-tempalte’, ‘@deadcode09284814/axios-util’, ‘axois-utils’, and ‘color-style-utils’.
Details of the Malicious Packages
The ‘chalk-tempalte’ package is noted for containing a near-identical copy of the Shai-Hulud source code. This code was leaked in a recent supply chain attack contest discussed on BreachForums. Despite being released by the same npm user, ‘deadcode09284814’, each package carries different malicious payloads.
One package, ‘axois-utils’, is engineered to deploy a Golang-based botnet named Phantom Bot. This botnet can execute distributed denial-of-service (DDoS) attacks and persists on both Windows and Linux systems by embedding itself in startup processes.
Functionality of the Malicious Code
Analysis reveals that apart from ‘chalk-tempalte’, the other three packages drop stealer payloads on compromised systems. ‘Chalk-tempalte’ specifically replicates the Shai-Hulud worm, complete with its own command-and-control server and private key.
Data stolen by this malware is sent to a remote server, and credentials are further exported to a GitHub repository described as ‘A Mini Sha1-Hulud has Appeared’. The other packages, ‘@deadcode09284814/axios-util’ and ‘color-style-utils’, focus on extracting SSH keys, environment variables, and other sensitive information.
Implications and Recommendations
OX Security warns that the release of Shai-Hulud as open source has motivated threat actors to exploit supply chains and typo-squatting. This instance is likely the beginning of a broader wave of supply chain attacks.
Users who have downloaded these packages are advised to uninstall them promptly, remove malicious configurations, rotate secrets, and inspect for suspicious GitHub repositories. Network access to identified harmful domains should also be blocked to prevent further compromise.
As cyber threats evolve, safeguarding digital assets against such sophisticated attacks is crucial. Staying informed and proactive in security measures can mitigate potential risks.
