According toOx Security, a threat actor published four NPM packages containing infostealer malware, including one that contains the Shai-Hulud code.Dubbed ‘chalk-tempalte’, the package is a direct clone of the worm, does not use obfuscation, and implements its own command-and-control (C&C) server and private key.“By analyzing the malware’s source code, the same patterns from previous Shai-Hulud attacks are immediately recognizable, as expected. This includes uploading stolen credentials to a new GitHub repository,” Ox says.The other three packages published by the threat actor, all using typo-squatting to infect Axios users, are different from Shai-Hulud, and one of them ensnares the infected machines into a distributed denial-of-service (DDoS) botnet.The four packages, ‘@deadcode09284814/axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’, have a combined weekly download count of over 2,600.“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Dubbed ‘chalk-tempalte’, the package is a direct clone of the worm, does not use obfuscation, and implements its own command-and-control (C&C) server and private key.“By analyzing the malware’s source code, the same patterns from previous Shai-Hulud attacks are immediately recognizable, as expected. This includes uploading stolen credentials to a new GitHub repository,” Ox says.The other three packages published by the threat actor, all using typo-squatting to infect Axios users, are different from Shai-Hulud, and one of them ensnares the infected machines into a distributed denial-of-service (DDoS) botnet.The four packages, ‘@deadcode09284814/axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’, have a combined weekly download count of over 2,600.“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
“By analyzing the malware’s source code, the same patterns from previous Shai-Hulud attacks are immediately recognizable, as expected. This includes uploading stolen credentials to a new GitHub repository,” Ox says.The other three packages published by the threat actor, all using typo-squatting to infect Axios users, are different from Shai-Hulud, and one of them ensnares the infected machines into a distributed denial-of-service (DDoS) botnet.The four packages, ‘@deadcode09284814/axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’, have a combined weekly download count of over 2,600.“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
The other three packages published by the threat actor, all using typo-squatting to infect Axios users, are different from Shai-Hulud, and one of them ensnares the infected machines into a distributed denial-of-service (DDoS) botnet.The four packages, ‘@deadcode09284814/axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’, have a combined weekly download count of over 2,600.“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
The four packages, ‘@deadcode09284814/axios-util’, ‘axois-utils’, ‘chalk-tempalte’, and ‘color-style-utils’, have a combined weekly download count of over 2,600.“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
“We’re now seeing a single actor with multiple techniques and infostealer types spreading malicious code onto NPM, as it’s just the first phase of an upcoming wave of supply chain attacks coming,” Ox warns.Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Related:OpenAI Hit by TanStack Supply Chain AttackRelated:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Related:Build Application Firewalls Aim to Stop the Next Supply Chain AttackRelated:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Related:Vendor Says Daemon Tools Supply Chain Attack ContainedRelated:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Related:Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack
Source: SecurityWeek
