This threat involves a Shai-Hulud copycat worm that infected the npm package chalk-tempalte shortly after the original worm was open-sourced. The same threat actor published three additional malicious npm packages (@deadcode09284814/axios-util, axois-utils, and color-style-utils) containing infostealer malware. These packages collectively have 2,678 weekly downloads and possess multiple malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates data to remote command-and-control servers and uploads stolen credentials to GitHub repositories. Researchers suggest the attacker operates from a home computer or local server farm and is financially motivated, focusing on cryptocurrency theft and DDoS services.

The malicious npm packages enable attackers to steal credentials, exfiltrate cryptocurrency wallet information, harvest cloud configuration data, and enlist infected systems into a DDoS botnet. This can lead to unauthorized access to victim accounts, financial theft, disruption of cloud services, and participation in distributed denial-of-service attacks. The infection vector through popular npm packages increases the risk of widespread supply-chain compromise.

No official patch or remediation guidance is currently available from vendors. Users and organizations should immediately audit their npm dependencies for the identified malicious packages (chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils) and remove or replace them with trusted alternatives. Monitor for suspicious network connections to the identified command-and-control IP (80.200.28.28) and domains (87e0bbc636999b.lhr.life, edcf8b03c84634.lhr.life). Implement strict controls on package sourcing and consider using package integrity verification tools. Stay updated with vendor advisories for any future patches or official guidance.