Recently, a significant security threat has emerged involving four npm packages designed to steal sensitive data such as SSH keys, cloud credentials, and cryptocurrency wallets. Additionally, one of these packages is capable of converting infected systems into components of a botnet for distributed denial-of-service (DDoS) attacks.
Coordinated Attack by a Single Actor
This malicious activity is attributed to a lone threat actor who has employed various infostealer variants in a strategic typosquatting attack aimed at Axios users. The four packages identified, namely chalk-template, @deadcode09284814/axios-util, axios-utils, and color-style-utils, were discovered in the last 24 hours and have been deemed harmful. Prior to being flagged, these packages amassed around 2,678 downloads per week.
Exploitation of Shai-Hulud Source Code
The package chalk-template has drawn particular concern as it incorporates a near-identical version of the Shai-Hulud infostealer, whose source code was recently leaked on GitHub by TeamPCP. The perpetrator of this attack has made minimal changes to the original code, embedding their own command-and-control (C2) server address and private key, before uploading the altered package to npm.
The absence of code obfuscation, unlike the original Shai-Hulud, indicates that this is the work of an imitator rather than the original creators. The timing of this attack aligns with a supply chain attack competition that appeared on BreachForums after the Shai-Hulud leak, suggesting the public release of the code is already inspiring new cyber threats.
Distinctive Attack Strategies
Each of the four npm packages has a unique attack focus:
- chalk-template: Exfiltrates credentials, cryptocurrency wallets, and account details to a remote server.
- @deadcode09284814/axios-util: Gathers SSH keys, environment variables, and cloud credentials, sending the data to a specified IP address.
- axios-utils: Deploys a persistent GoLang-based botnet capable of executing DDoS attacks.
- color-style-utils: Collects IP addresses, geolocation data, and cryptocurrency wallets without obfuscation.
Users who have installed any version of these packages should take immediate action to mitigate the risk.
Recommended Actions and Future Implications
To address this threat, users are advised to uninstall the malicious packages, remove any related malicious configurations, and rotate all impacted credentials. Additionally, users should check GitHub repositories for specific indicators of compromise and block network access to the associated C2 domains and IPs.
This campaign underscores a worrying trend towards the democratization of advanced malware tools. With the Shai-Hulud source code now publicly accessible, launching effective supply chain attacks has become significantly easier. Experts caution that this could be the start of a series of similar threats, as various malware variants begin to proliferate across npm.
Stay informed by following us on Google News, LinkedIn, and X for more updates on cybersecurity threats.
