Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware — Ravie LakshmananMay 18, 2026Supply Chain Attack / Botnet [https://blogger.go
What’s new: Four malicious npm packages have been identified that deliver information-stealing malware and a DDoS botnet. The packages are: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils. The “chalk-tempalte” package includes a clone of the Shai-Hulud worm, while “axois-utils” is designed to deploy the Phantom Bot DDoS malware. The other packages are focused on stealing sensitive information such as SSH keys and cloud credentials.
Who’s affected
Any users or developers who have downloaded the identified npm packages are at risk of having their systems compromised and sensitive data stolen.
What to do
- Uninstall the affected npm packages immediately.
- Remove any malicious configurations from IDEs and coding agents.
- Rotate any secrets that may have been exposed.
- Search for GitHub repositories containing the string “A Mini Sha1-Hulud has Appeared” and take appropriate action.
- Block network access to the suspicious domains associated with the malware.
