Shai-Hulud copycat worm infects yet another npm package

Cyber-Crime

Shai-Hulud copycat worm infects yet another npm package

Plus three other stealers in three other packages, all from the same scumbag

A Shai-Hulud copycat has turned up in yet another npm package just five days after TeamPCP open sourced the worm and announced a supply-chain attack competition on BreachForums.The poisoned package, chalk-tempalte, masquerades as an extension for the popular JavaScript terminal string styling library Chalk. It now contains a clone of Shai-Hulud, which TeamPCP published last week on GitHub after poisoning more than 170 npm packages with the credential-stealing malware as part of the ongoing supply chain attacks targeting open source dev tools.Plus, the same scumbag that uploaded the worm to chalk-tempalte also published three other malicious npm packages - @deadcode09284814/axios-util, axois-utils, and color-style-utils - containing infostealer code, according to Ox security researchers, which detected and reported the malware over the weekend.

“The four malwares are inherently different, as the collected data varies between them, including exfiltrated IP addresses, cloud configurations, crypto wallets, environment variables, and even one malware turning the victim’s machine into a DDoS botnet – all from the same npm user,” researcher Moshe Siman Tov Bustan wrote on Sunday.