CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 18, 2026

Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets

Cybersecurity News Archived May 18, 2026 ✓ Full text saved

Four malicious npm packages capable of stealing SSH keys, cloud credentials, cryptocurrency wallets, and environment variables, while one variant quietly transforms infected machines into a DDoS botnet. The campaign appears to be the work of a single threat actor deploying multiple infostealer variants simultaneously through a coordinated typosquatting operation targeting Axios users. The four packages […] The post Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Attack News Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets By Guru Baran May 18, 2026 Four malicious npm packages capable of stealing SSH keys, cloud credentials, cryptocurrency wallets, and environment variables, while one variant quietly transforms infected machines into a DDoS botnet. The campaign appears to be the work of a single threat actor deploying multiple infostealer variants simultaneously through a coordinated typosquatting operation targeting Axios users. The four packages chalk-template, @deadcode09284814/axios-util, axios-utils, and color-style-utils were detected within the last 24 hours. All versions of each package are considered malicious. Combined, they have accumulated approximately 2,678 weekly downloads before being flagged. Shai-Hulud Source Code Weaponized The most alarming discovery is chalk-tempalte, which contains a near-identical clone of the Shai-Hulud infostealer, an open-source malware whose source code was publicly leaked on GitHub by the group TeamPCP just last week. The threat actor copied the code with minimal modification, embedding their own C2 server address (87e0bbc636999b[.]lhr[.]life) and private key, then uploaded the working package directly to npm. The lack of obfuscation, a stark contrast to the original Shai-Hulud deployments, confirms this is a copycat actor rather than TeamPCP itself. Researchers noted the attack aligns with a supply chain attack competition posted on BreachForums shortly after TeamPCP’s leak, suggesting the open-source release is actively inspiring new campaigns. Infected machines upload stolen credentials to a new GitHub repository, mirroring the original Shai-Hulud behavior. Four Packages, Four Attack Styles Each package targets a different attack objective: chalk-tempalte — Shai-Hulud clone exfiltrating credentials, crypto wallets, secrets, and accounts to a remote C2 server @deadcode09284814/axios-util — Straightforward infostealer collecting SSH keys, environment variables, and cloud credentials from AWS, GCP, and Azure, transmitting data to 80[.]200[.]28[.]28:2222 axois-utils — Delivers a GoLang-based “Phantom Bot” with persistence logic that survives package deletion, plus a DDoS botnet capable of flooding targets with HTTP, TCP, UDP, and reset requests color-style-utils — Unobfuscated infostealer harvesting IP addresses, geolocation data, and cryptocurrency wallets, exfiltrating to edcf8b03c84634[.]lhr[.]life Anyone who installed any version of these packages should act immediately: Uninstall all four malicious packages without delay Delete any related malicious configurations from IDEs and coding agents, including Claude Code Rotate all credentials and keys on affected machines Search GitHub repositories for the string “A Mini Sha1-Hulud has Appeared” as a potential indicator of compromise Block network access to all C2 domains and IPs listed below Indicators of Compromise (IOCs) Indicator Type 87e0bbc636999b[.]lhr[.]life C2 Domain 80[.]200[.]28[.]28:2222 C2 IP:Port b94b6bcfa27554[.]lhr[.]life C2 Domain edcf8b03c84634[.]lhr[.]life C2 Domain Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. This campaign signals a dangerous new trend: the democratization of sophisticated malware. With Shai-Hulud now publicly available, the barrier to launching capable supply chain attacks has dropped dramatically. OX Security warns this is likely just the first wave, as vibe-coded malware proliferates across npm, with each variant harvesting different data types for various criminal purposes, from credential theft and crypto-draining to full botnet recruitment, all from a single npm account. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Hackers Abuse CVE-2026-41940 to Take Over cPanel and WHM Servers Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack Critical Microsoft Exchange Server Vulnerability Actively Exploited in Attacks New Critical Exim Mailer Allows Remote Attacker to Execute Arbitrary Code Latest News Cyber Security News 1 Million WordPress Sites Affected by Avada Builder File Read and SQL Injection Flaws Cyber Security News Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 Cyber Security News New Windows ‘MiniPlasma’ Zero-Day Let Attackers Gain SYSTEM Access – PoC Released Cyber Security News Critical WordPress Plugin Vulnerability Exposes Websites to Authentication Bypass Attacks Cyber Attack News Fast16 Malware Manipulated Nuclear Weapons Simulation Data to Sabotage Test Results
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 18, 2026
    Archived
    May 18, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗