Copycat hits another npm package
Essential information
- Published
- 19/05/2026 00:26
- Modified
- 19/05/2026 17:59
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- credential-theft cryptocurrency-theft ddos-botnet infostealer npm open-source shai-hulud supply-chain-attack
- Tags
- 2026-05-18 credential-theft cryptocurrency theft ddos botnet infostealer npm open-source shai-hulud supply chain attack
- Related entities
- 3 indicators, 3 observables, 19 techniques (mitre), 1 malware, 2 others
Description
A Shai-Hulud copycat worm has infected the npm package chalk-tempalte, appearing just five days after the original worm was open-sourced by its creators. The same threat actor also published three additional malicious npm packages containing infostealer code: @deadcode09284814/axios-util, axois-utils, and color-style-utils. These packages collectively received 2,678 weekly downloads and contain various malicious capabilities including credential theft, cryptocurrency wallet exfiltration, cloud configuration harvesting, and DDoS botnet functionality. The malware exfiltrates stolen data to remote command-and-control servers and uploads credentials to GitHub repositories. Researchers indicate the attacker operates from a home computer or local server farm and appears financially motivated, targeting victims' cryptocurrency assets while potentially offering DDoS-as-a-service capabilities.