Ethical Hacking News
Leaked Shai-Hulud malware has been used in a new npm infostealer campaign targeting developer credentials and sensitive information. The malicious packages were published on npm over the weekend, with one of them containing a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group.
The Node Package Manager (npm) has been targeted with malicious attacks using leaked Shai-Hulud malware. A total of four malicious packages were published on npm, including one that turned the system into a bot for DDoS activity. The malicious packages include routines to exfiltrate credentials, configuration files, and botnet capabilities. One package is a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group. The threat actor used misspelled names (typosquatting) targeting Axios users. Developers are advised to remove infected packages, rotate credentials, and regularly scan for updates and patch vulnerabilities.
The Node Package Manager (npm) has been hit with a new wave of malicious attacks, as a leaked version of the Shai-Hulud malware has been used in a campaign targeting developer credentials and sensitive information. The threat actor behind these attacks has published four malicious packages on npm, three of which include routines that exfiltrate information such as credentials, configuration files, and even botnet capabilities.
According to OXsecurity, a company that secures applications from code to runtime, the malicious uploads emerged over the weekend, with the threat actor using misspelled names (typosquatting) targeting Axios users. The researchers noticed that the packages included routines that exfiltrated information, such as credentials and configuration files, but one of them also turned the system into a bot for distributed denial-of-service (DDoS) activity.
The malicious packages published by the threat actor include:
* chalk-tempalte – Shai-Hulud clone (information stealer)
@deadcode09284814/axios-util – Credential and cloud config stealer
axois-utils – Infostealer + persistent DDoS botnet (“phantom bot”)
color-style-utils – Basic infostealer targeting crypto wallets and IP info
Researchers at OXsecurity have confirmed that the chalk-tempalte package contains a clone of the Shai-Hulud malware attributed to the TeamPCP hacker group, which is responsible for the recent Mini Shai-Hulud software supply-chain attack. The malware emerged on GitHub last week, with a message allegedly from TeamPCP saying "Here We Go Again - Let the Carnage Continue. A Gift from TeamPCP."
The chalk-tempalte package appears to be an unmodified copy of the leaked source code without any protection, which makes it not a sophisticated example but rather an indication that this is a different actor from TeamPCP.
According to OXsecurity, the Shai-Hulud malware steals credentials, secrets, crypto wallet data, and account information and exfiltrates it to a command-and-control (C2) server at 87e0bbc636999b[.]lhr[.]life. The code retains the GitHub publishing functionality, so it uploads stolen credentials to public, auto-generated repositories.
The campaign had multiple iterations since September 2025, stealing developers’ data by injecting malware into legitimate projects. After stealing credentials for accounts with publishing rights, the exfiltrated information was exposed in public GitHub repositories. The campaigns were attributed to the TeamPCP hacker group.
OXsecurity recommends that developers who downloaded infected npm packages remove them immediately and rotate their credentials and API keys on affected systems. Additionally, they advise users to be cautious when downloading packages from npm and to regularly scan for updates and patch vulnerabilities.
The discovery of this new campaign highlights the ongoing threat landscape in the Node.js ecosystem, where malicious actors continue to find ways to exploit vulnerabilities and steal sensitive information from unsuspecting developers. As such, it is essential for developers to remain vigilant and take proactive steps to protect themselves against these types of attacks.
In conclusion, the leaked Shai-Hulud malware has fueled a new npm infostealer campaign, which poses significant risks to Node.js developers and their organizations. By understanding the tactics, techniques, and procedures (TTPs) used by threat actors in this campaign, developers can better prepare themselves to defend against similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Shai-Hulud-Malware-Infostealer-Campaign-A-New-Threat-to-Nodejs-Developers-ehn.shtml
https://www.bleepingcomputer.com/news/security/leaked-shai-hulud-malware-fuels-new-npm-infostealer-campaign/
Published: Mon May 18 13:07:23 2026 by llama3.2 3B Q4_K_M
