Four malicious npm packages infected with a Shai-Hulud clone were published over the weekend by an account using the name _deadcode09284814_, with the campaign stealing credentials, secrets, crypto wallet data and account information and one package also adding DDoS functions.
KEY FACTS
- Packages Four rogue npm packages were identified.
- Targeting Some used typosquatting aimed at Axios users.
- Behavior All four exfiltrated data, while one also supported DDoS attacks.
- Impact The packages had a combined 2,678 downloads.
A technical analysis from OXsecurity said the package named chalk-tempalte contained an unmodified copy of the leaked Shai-Hulud source code. The report said the malware stole data and sent it to a command and control server at 87e0bbc636999b[.]lhr[.]life.
The other packages were named @deadcode09284814/axios-util, axois-utils and color-style-utils. The analysis said axois-utils included HTTP, TCP and UDP flooding code, along with TCP reset attacks and internal references to a so-called phantom bot.
Researchers said the code also retained GitHub publishing features, which allowed stolen credentials to be uploaded to public, auto-generated repositories. The earlier Shai-Hulud campaign began in September 2025 and was tied to the TeamPCP hacker group, which used infected packages to steal developer credentials and expose them in public GitHub repositories.
OXsecurity said the new package appears to be the first documented Shai-Hulud clone on npm, although it was described as a basic copy without obfuscation. The report said developers who installed the packages should remove them, then rotate credentials and API keys on affected systems.
WHY IT MATTERS
The campaign shows how leaked malware code can be reused quickly inside open-source software ecosystems. Developers who rely on npm packages may need to check for typosquatted names, remove infected installs and replace exposed secrets before the stolen data is reused.