Four Malicious npm Packages Distribute Infostealers and Phantom‑Bot DDoS Malware
What Happened – Researchers uncovered four recently published npm packages—chalk‑tempalte, @deadcode09284814/axios‑util, axois‑utils and color‑style‑utils—that embed credential‑stealing code and a clone of the Shai‑Hulud “phantom‑bot” DDoS malware. The packages have collectively been downloaded ≈ 3 k times, meaning any downstream project that installs them inherits the malicious payload.
Why It Matters for TPRM –
- Third‑party code can become a covert attack vector, bypassing traditional perimeter defenses.
- Compromised libraries expose downstream customers to data exfiltration and service‑disruption (DDoS) risks.
- Supply‑chain incidents erode trust in software vendors and can trigger contractual compliance breaches.
Who Is Affected – Software development teams, SaaS vendors, cloud‑native platforms, and any organization that incorporates Node.js/npm components into production workloads.
Recommended Actions –
- Conduct an immediate SBOM review to identify any of the four packages in your code base.
- Deploy automated dependency‑scanning tools (e.g., Snyk, npm audit) to flag malicious or vulnerable modules.
- Block the identified package names at your internal npm registry or proxy.
- Monitor network traffic for outbound connections to known C2 endpoints used by the phantom‑bot.
Technical Notes – Attack vector: THIRD_PARTY_DEPENDENCY. No public CVE; the malicious code steals system credentials, environment variables, and can launch DDoS attacks using the “phantom‑bot” framework. Source: The Hacker News