Malicious npm Packages Deploy Shai‑Hulud Infostealer Targeting Developer Credentials and Crypto Wallets
What Happened — A threat actor published four malicious npm packages that embed the leaked Shai‑Hulud malware. The packages steal developer credentials, cloud configuration files, cryptocurrency wallet data, and in one case turn infected hosts into a DDoS bot.
Why It Matters for TPRM —
- Supply‑chain compromise of a widely‑used package manager can expose any downstream organization that installs the tainted modules.
- Stolen secrets can be leveraged to compromise cloud environments, CI/CD pipelines, and internal services.
- The DDoS capability adds a service‑disruption risk for victims that unwittingly become part of a botnet.
Who Is Affected — Technology & SaaS firms, cloud‑native developers, CI/CD service providers, cryptocurrency platforms, and any organization that consumes npm packages.
Recommended Actions —
- Audit all npm dependencies for the four malicious package names and remove any matches.
- Enforce strict provenance checks (e.g., npm audit, sigstore, SBOM validation) before accepting third‑party code.
- Rotate any credentials or secrets that may have been exposed and monitor for anomalous activity.
Technical Notes — The attacker used a non‑obfuscated copy of Shai‑Hulud (originally leaked from TeamPCP) and employed typosquatting to mimic popular packages (e.g., “chalk‑tempalte”). Exfiltration is performed via a C2 server at 87e0bbc636999b.lhr.life, and stolen data is auto‑published to public GitHub repositories. One package (axois-utils) includes HTTP/TCP/UDP flood capabilities and references a “phantom bot” for DDoS. Source: BleepingComputer