Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Researchers uncovered four malicious npm packages that deliver infostealers and DDoS malware to developers who install them. The packages accumulated nearly 3,000 combined downloads before detection.

The infected packages are chalk-tempalte (825 downloads), @deadcode09284814/axios-util (284 downloads), axios-utils (963 downloads), and color-style-utils (934 downloads). The names mimic legitimate libraries, a common npm supply chain attack technique.

One package, chalk-tempalte, clones Shai-Hulud worm functionality previously open-sourced by threat actor group TeamPCP. The Shai-Hulud worm spreads through npm and executes arbitrary code on infected systems.

These packages target developers rather than end users. When installed as dependencies, they execute malicious payloads that steal sensitive information from development environments. The infostealer component harvests credentials, environment variables, and configuration files. The Phantom Bot DDoS component transforms infected systems into botnet nodes capable of launching distributed denial-of-service attacks.

The relatively low download counts suggest these packages remained undetected for a limited window. However, the attack succeeds even with modest installation rates. Each infected developer environment potentially compromises multiple projects and downstream users who consume those projects as dependencies.

The attack exploits npm's dependency resolution model. Developers typically install packages without examining source code, trusting repository names and package descriptions. Attackers leverage typosquatting and name confusion to distribute malware alongside legitimate tools.

npm has removed all four packages from its registry. The npm security team recommends developers audit their dependency trees for these specific package names and check installation logs for suspicious activity occurring during the timeframe these packages remained available.

Organizations using npm should implement strict supply chain controls. Lock dependency versions, use package checksum verification,