Four malicious npm packages steal SSH keys, cloud credentials, and crypto wallets

Security researchers have found four malicious npm packages designed to steal developer secrets, SSH keys, cloud credentials, crypto wallets, and system data. One package also installs a DDoS botnet payload.

The packages are chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. OX Security said all versions of these packages should be treated as malicious.

The campaign appears to come from one npm user and uses typosquatting to target developers looking for common JavaScript utilities, including Axios-related helper packages and styling tools.

What the malicious npm packages do

The four packages do not all use the same malware. Instead, they split the attack across several payload types, including credential theft, GitHub exfiltration, cloud secret harvesting, crypto wallet theft, and botnet recruitment.

The most notable package is chalk-tempalte, which contains a direct copy of the leaked Shai-Hulud malware source code with only limited changes. Researchers said the actor added a new command-and-control server and private key before uploading the package to npm.

Another package, axois-utils, delivers a Go-based Phantom Bot payload that can persist on Windows and Linux machines and send DDoS traffic using HTTP, TCP, UDP, and reset-based attacks.

Package	Main behavior	Targeted data or impact
chalk-tempalte	Shai-Hulud copycat infostealer	Secrets, credentials, crypto wallets, accounts, and GitHub data
@deadcode09284814/axios-util	Credential stealer	SSH keys, environment variables, AWS, GCP, and Azure credentials
axois-utils	Phantom Bot malware	DDoS botnet activity and persistence on infected systems
color-style-utils	Unobfuscated infostealer	IP data, geolocation details, and cryptocurrency wallets

Shai-Hulud code is now being reused

OX Security said chalk-tempalte is a near-direct clone of the Shai-Hulud source code that TeamPCP leaked on GitHub. The copycat version sends stolen credentials to a new attacker-controlled server.

This matters because the Shai-Hulud malware was already tied to a major software supply chain campaign affecting npm and developer ecosystems. Once the code became public, less capable actors could reuse it with minimal changes.

That appears to be what happened here. The lack of heavy obfuscation suggests the actor copied working malware rather than building a new tool from scratch.

How the packages steal developer secrets

The campaign focuses on developer machines because those systems often store access to source code, cloud accounts, CI/CD systems, package registries, and crypto wallets.

@deadcode09284814/axios-util collects SSH keys, environment variables, and cloud credentials for AWS, Google Cloud, and Azure. That can give attackers access to private repositories, infrastructure, storage buckets, or deployment systems.

color-style-utils collects IP address and geolocation data along with cryptocurrency wallet information. chalk-tempalte follows the Shai-Hulud pattern by sending stolen data to a remote server and creating a GitHub repository for exfiltrated content.

• SSH private keys can give attackers access to servers and repositories.
• Cloud credentials can expose infrastructure and stored data.
• Environment variables often contain API keys and tokens.
• GitHub tokens can expose private source code and CI/CD secrets.
• Crypto wallet data can lead to direct financial theft.

One package turns systems into a DDoS bot

The axois-utils package stands out because it does more than steal secrets. Researchers said it installs a Go-based payload called Phantom Bot.

The malware includes persistence logic, meaning it can remain on the machine even after the npm package itself is deleted. That makes cleanup harder than simply removing the dependency from a project.

The botnet component can flood targets using HTTP, TCP, UDP, and reset requests. This gives the attacker a way to use infected developer machines for disruption or DDoS-for-hire activity.

Downloads and exposure

OX Security said the four packages had a combined weekly download count of 2,678 at the time of its report. The Hacker News later listed package-level counts for each package based on its own snapshot.

Download counts can shift quickly on npm, especially when packages get flagged, removed, or mirrored in dependency caches. The safer assumption is that anyone who installed any version of the four packages should treat the machine as exposed.

The exposure is especially serious for developers who installed the packages on workstations connected to production repositories, deployment pipelines, cloud accounts, or AI coding tools.

Risk area	Why it matters
Developer laptops	Often store SSH keys, npm tokens, cloud profiles, and local secrets
CI/CD runners	May expose deployment tokens and production credentials
GitHub accounts	Can expose private repositories and secrets stored in workflows
Cloud environments	Stolen keys can allow data theft, infrastructure abuse, or persistence
Crypto wallets	Wallet theft can lead to immediate financial loss

Indicators of compromise

Security teams should search for package installation records, suspicious outbound connections, unknown startup entries, and GitHub repositories created by compromised accounts.

OX Security recommends checking GitHub for repositories containing the string “A Mini Sha1-Hulud has Appeared.” This mirrors the exfiltration pattern used by the Shai-Hulud malware family.

The following indicators were reported in connection with the campaign. They are defanged to prevent accidental access.

Indicator	Type
87e0bbc636999b[.]lhr[.]life	Command-and-control domain
80[.]200[.]28[.]28:2222	Command-and-control IP and port
b94b6bcfa27554[.]lhr[.]life	Command-and-control domain
edcf8b03c84634[.]lhr[.]life	Command-and-control domain
A Mini Sha1-Hulud has Appeared	GitHub repository description indicator

What affected developers should do now

Anyone who installed any of the four packages should treat the system as compromised. Uninstalling the package is not enough, especially because one payload includes persistence logic.

The safest response is to remove the package, disconnect the device from sensitive systems, rotate credentials from a clean machine, and rebuild the affected environment if secrets may have been exposed.

Teams should also check AI coding tools and IDE configuration files. OX Security specifically warned users to remove related malicious configuration from coding agents such as Claude Code.

1. Remove chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils from all projects.
2. Disconnect affected machines from sensitive networks and accounts.
3. Rotate SSH keys, npm tokens, GitHub tokens, cloud keys, and API secrets.
4. Search GitHub for repositories containing “A Mini Sha1-Hulud has Appeared.”
5. Review IDE and coding agent configuration files for malicious changes.
6. Block the reported command-and-control indicators.
7. Check for persistence mechanisms, especially from Phantom Bot.
8. Rebuild affected developer machines or CI runners if compromise cannot be ruled out.

How teams can reduce npm supply chain risk

This campaign shows why dependency review needs to cover spelling, publisher reputation, installation scripts, and unexpected behavior. Typosquatting remains effective because malicious packages can look close to legitimate tools.

Teams should lock dependencies, use private registries or allowlists where possible, and inspect new packages before adding them to production projects.

Developers should also treat postinstall scripts as sensitive. A small dependency can run code during installation and access files, environment variables, and tokens stored on the machine.

• Use package lockfiles and review unexpected dependency changes.
• Block package names that closely mimic popular libraries.
• Restrict npm scripts in high-risk CI environments where possible.
• Scan dependencies for known malicious packages before builds run.
• Keep developer secrets out of plain environment files when possible.
• Use short-lived cloud credentials instead of long-lived access keys.
• Separate development workstations from production deployment access.

Why this campaign matters

The four-package campaign shows how fast leaked malware code can spread through the open-source ecosystem. Once working supply chain malware becomes public, copycat actors can turn it into new packages quickly.

The attack also highlights the growing overlap between dependency security and developer identity security. Stealing source code is only one goal. Attackers now want cloud accounts, GitHub tokens, CI/CD secrets, wallet data, and control over developer machines.

For organizations using npm at scale, the lesson is clear. Package trust cannot depend on name recognition alone. Every new dependency can become an entry point into the software supply chain.

FAQ