Leaked Shai-Hulud malware fuels new npm infostealer campaign

The Shai-Hulud malware leaked last week is now used in new attacks on the Node Package Manager (npm) index, as infected packages emerged over the weekend.

A threat actor using the account deadcode09284814 published four malicious packages on npm and embedded one of them with a non-obfuscated version of Shai-Hulud that targeted developer credentials, secrets, cryptocurrency wallet data, and account information.

All rogue packages included routines that exfiltrated information, such as credentials and configuration files, but one also turned the system into a bot for distributed denial-of-service (DDoS) activity.

Researchers at OXsecurity, a company that secures applications from code to runtime, discovered the malicious uploads over the weekend and noticed that the threat actor used misspelled names (typosquatting) targeting Axios users, and some generic ones:

chalk-tempalte – Shai-Hulud clone (information stealer)

Leaked Shai-Hulud malware fuels new npm infostealer campaign

Other newsrooms on this story

Related reading

New Shai-Hulud malware wave compromises 600 npm packages

Other newsrooms on this story

Related reading

New Shai-Hulud malware wave compromises 600 npm packages

Shai Hulud attack ships signed malicious TanStack, Mistral npm packages

Shai-Hulud copycat worm infects yet another npm package

Shai-Hulud keeps burrowing: 314 npm packages infected after another account…

Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Over 320 NPM Packages Hit by Fresh Mini Shai-Hulud Supply Chain Attack