Ethical Hacking News
Four malicious npm packages have been discovered to contain infostealers and Phantom Bot DDoS malware, exposing users to a significant risk of data theft and system compromise. Cybersecurity researchers warn that the attack highlights the ongoing threat of supply chain attacks and emphasizes the importance of maintaining robust security controls.
Threat actors exploited four malicious npm packages, exposing users to infostealers and Phantom Bot DDoS malware. The attack used stolen credentials and private keys to gain unauthorized access to systems, steal sensitive information, and establish persistence on compromised devices. The malicious packages contained different types of payloads, including a Golang-based DDoS botnet called Phantom Bot. Infostealer payloads were also present, stealing sensitive information such as SSH keys, environment variables, cloud credentials, and more. The attack was inspired by the Shai-Hulud worm, with one package containing a direct clone of the source code. Cybersecurity researchers warn users to uninstall the malicious packages immediately and take steps to protect themselves from further exploitation. Supply chain attacks highlight the ongoing threat and the importance of maintaining robust security controls.
Threat actors have successfully exploited a vulnerable supply chain attack on four malicious npm packages, exposing users to infostealers and Phantom Bot DDoS malware. The attack, which was discovered by cybersecurity researchers, involves the use of stolen credentials and private keys to gain unauthorized access to systems, steal sensitive information, and establish persistence on compromised devices.
The malicious packages, which were published under the same npm user "deadcode09284814", contain different types of payloads, including a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot. The Phantom Bot malware is designed to flood target websites using HTTP, TCP, and UDP protocols, as well as establish persistence on Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.
In addition to the Phantom Bot malware, the four malicious npm packages also contain infostealer payloads that steal sensitive information such as SSH keys, environment variables, cloud credentials, system information, IP addresses, and cryptocurrency wallet data. The stolen credentials are then sent to remote C2 servers, where they can be used for further exploitation.
The attack is believed to have been inspired by the Shai-Hulud worm, which was open-sourced by TeamPCP last week. One of the malicious packages, "chalk-tempalte", contains a direct clone of the Shai-Hulud source code, with minimal changes. The actor took the code and uploaded it to npm, creating a working version with its own C2 server and private key.
Cybersecurity researchers have warned users who have downloaded the malicious packages to uninstall them immediately and take steps to protect themselves from further exploitation. This includes checking for malicious configuration in IDEs and coding agents, rotating secrets, and blocking network access to suspicious domains.
The attack highlights the ongoing threat of supply chain attacks and the importance of maintaining robust security controls. As cybersecurity researcher Moshe Siman Tov Bustan noted, "Threat actors are getting even more motivated to conduct supply chain and typo-squatting, as attacks become easier to perform with the Shai-Hulud code becoming open source."
The four malicious npm packages are still available for download from npm, making it essential for users to be vigilant and take proactive steps to protect themselves. By sharing this information, we can help spread awareness about the importance of cybersecurity and provide users with the tools they need to stay safe online.
Related Information:
https://www.ethicalhackingnews.com/articles/Malicious-Supply-Chain-Attack-on-npm-Packages-Exposes-Infostealers-and-Phantom-Bot-DDoS-Malware-ehn.shtml
https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html
https://www.sepe.gr/en/it-technology/cybersecurity/22726985/four-malicious-npm-packages-deliver-infostealers-and-phantom-bot-ddos-malware/
https://thehackernews.com/search/label/Malware
https://attack.mitre.org/software/S9008/
https://www.microsoft.com/en-us/security/blog/2025/12/09/shai-hulud-2-0-guidance-for-detecting-investigating-and-defending-against-the-supply-chain-attack/
Published: Mon May 18 06:15:20 2026 by llama3.2 3B Q4_K_M
