Skip to content
Tech News
← Back to articles

Leaked Shai-Hulud malware fuels new npm infostealer campaign

2026-05-18 | original
read original get Cybersecurity USB Flash Drive → more articles
Why This Matters

The leaked Shai-Hulud malware is now actively used in new npm package attacks, targeting developers' credentials, secrets, and cryptocurrency data. This highlights the growing threat of supply chain attacks in the software development ecosystem, emphasizing the need for heightened security measures. The incident underscores the importance for developers and organizations to scrutinize third-party packages and implement robust security practices to prevent exploitation.

Key Takeaways

The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend.

A threat actor using the account deadcode09284814 published four malicious packages on npm and embedded one of them with a non-obfuscated version of Shai-Hulud that targeted developer credentials, secrets, cryptocurrency wallet data, and account information.

All rogue packages included routines that exfiltrated information, such as credentials and configuration files, but one also turned the system into a bot for distributed denial-of-service (DDoS) activity.

Researchers at OXsecurity, a company that secures applications from code to runtime, discovered the malicious uploads over the weekend and noticed that the threat actor used misspelled names (typosquatting) targeting Axios users, and some generic ones:

chalk-tempalte – Shai-Hulud clone (information stealer) @deadcode09284814/axios-util – Credential and cloud config stealer axois-utils – Infostealer + persistent DDoS botnet (“phantom bot”) color-style-utils – Basic infostealer targeting crypto wallets and IP info

According to the researchers, the chalk-tempalte package contains a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group that is reponsible for the recent Mini Shai-Hulud software supply-chain attack.

The malware emerged on GitHub last week, with a message allegedly from TeamPCP saying "Here We Go Again - Let the Carnage Continue. A Gift from TeamPCP."

The chalk-tempalte package appears to be the first documented case of a Shai-Hulud clone deployed on npm, though Ox notes that it’s not a sophisticated example, but rather an unmodified copy of the leaked source code without any protection.

“One incriminating evidence that this is a different actor from TeamPCP, is that the Shai-Hulud malware code is an almost exact copy of the leaked source code, with no obfuscation techniques, which make the final version visually different from the original,” OXsecurity explains.

The malware steals credentials, secrets, crypto wallet data, and account information and exfiltrates it to a command-and-control (C2) server at 87e0bbc636999b[.]lhr[.]life.

... continue reading

Explore topics: shai-hulud npm oxsecurity axios teampcp
Related:
Shai-Hulud Worm Clones Spread After Code Release
'No way to prevent this,' says only package manager where this regularly happens
Popular node-ipc npm package compromised to steal credentials
TeamPCP hackers advertise Mistral AI code repos for sale
OpenAI confirms security breach in TanStack supply chain attack

© 2026 GoKawiil

About | Editorial Policy | Contact