CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks

Cybersecurity News Archived May 23, 2026 ✓ Full text saved

A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS browser exploit kit through a supply chain attack. The backdoored package silently dropped malicious code into end users’ browsers, turning everyday web applications into watering holes targeting Apple device owners worldwide. The attack began when the art-template npm package, originally […] The post Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks By Tushar Subhra Dutta May 22, 2026 A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS browser exploit kit through a supply chain attack. The backdoored package silently dropped malicious code into end users’ browsers, turning everyday web applications into watering holes targeting Apple device owners worldwide. The attack began when the art-template npm package, originally developed by a maintainer known as “aui,” was handed over to an unknown actor under the pretense of continuing its maintenance. According to the original author, the new controller almost immediately began weaponizing the package. Issue reports flagging the suspicious behavior were quietly deleted while the attacker continued pushing malicious versions to suppress discovery. Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified the campaign and linked it to a previously documented iOS exploit framework called the Coruna exploit kit. Their analysis, titled “Coruna Respawned,” revealed the implant inside the backdoored package closely mirrors delivery patterns from that earlier framework, suggesting direct reuse or a near-identical derivative. The backdoored versions followed an escalating injection pattern across multiple releases. Version 4.13.3 used encoding to hide a loader pointing to a suspicious external domain. Versions 4.13.5 and 4.13.6 dropped the obfuscation entirely and injected a plaintext script loader directly into the package’s browser bundle file. Any web application that included those versions would silently load and execute the exploit kit in every visitor’s browser. The scale of exposure is significant given how widely the package was used across JavaScript projects globally. Developers who unknowingly bundled the affected versions became unwitting delivery vehicles for a targeted mobile attack against their own users, with no visible sign that anything had changed. Hackers Backdoor Popular art-template npm Package The core of the attack is a JavaScript implant that functions as a watering hole exploit delivery framework. Once injected through the compromised npm package, it quietly fingerprints each site visitor. The implant only activates on Safari running on iOS 11.0 through 17.2, and silently exits on Chrome, Firefox, Edge, Android, and iOS 17.3 or higher. Once a matching device is detected, the implant begins beaconing the victim’s public IP address, iOS version string, and a campaign tracking code to a command-and-control server every ten seconds. It also runs five layers of anti-bot checks — including MathML rendering tests and a WebAssembly proof-of-work challenge — to confirm the target is a real person on actual hardware. Only after passing all checks does the framework fetch and execute the final server-gated payload. Payload selection is tailored to the victim’s iOS version, with each of five version bands mapping to a different remote exploit module. Researchers found the hard cutoff at iOS 17.3 aligns precisely with the patch boundary for CVE-2024-23222, a WebKit vulnerability Apple fixed at that exact release. That precision strongly suggests browser-level exploitation rather than conventional phishing. npm Supply Chain Entry Point The full delivery chain flowed from the corrupted npm package directly to the victim’s device. Versions 4.13.5 and 4.13.6 appended a script loader to the browser-side bundle, which called out to an external domain. That domain redirected visitors to a watering hole page embedding the exploit framework. From the moment any site using those versions was visited, the attack activated silently in the background. The implant uses a content-addressed module system to conceal payloads from outside observers. Remote modules are fetched via URLs derived by hashing a secret session key with a module identifier, making them invisible to scanners that do not know the key. This design matches infrastructure patterns documented for the original Coruna kit, including identical XOR obfuscation confirmed by published YARA rules. Developers are urged to audit dependency trees for art-template versions 4.13.3 through 4.13.6. Locking dependencies, reviewing browser bundle outputs for unexpected script loaders, and monitoring outbound network requests from JavaScript runtimes are the primary mitigations. Any application deployed with affected versions should undergo an immediate security review. Indicators of Compromise (IoCs):- Type Indicator Description Domain v3.jiathis[.]com External script host injected by art-template 4.13.5/4.13.6 via loadScript() in lib/template-web.js URL hxxps://v3.jiathis[.]com/code/art.js Malicious script loader fetched by art-template 4.13.6 URL hxxps://v3.jiathis[.]com/code/jia.js?uid=artemplate Malicious script loader fetched by art-template 4.13.5 Domain utaq[.]cfww[.]shop Watering hole hosting domain; serves exploit delivery framework and all remote payload modules URL hxxps://utaq[.]cfww[.]shop/gooll/gooll.html Watering hole landing page embedding the Coruna-like exploit framework URL hxxps://utaq[.]cfww[.]shop/gooll/49554fde7424c31c.js Primary JavaScript implant file; iOS Safari exploit delivery framework Domain l1ewsu3yjkqeroy[.]xyz C2 server receiving victim IP beacons every 10 seconds via POST to /api/ip-sync/sync URL https://l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync C2 beacon endpoint receiving victim IP address, iOS version, and campaign tracking code URL https://ipv4.icanhazip.com Legitimate IP oracle used by implant to resolve victim’s public IP before C2 POST Domain git.youzzjizz[.]com External loader domain used in the older art-template 4.13.3 injection (git.youzzjizz[.]com/git.js) File Name 49554fde7424c31c.js JavaScript implant filename; the watering hole exploit delivery framework File Name lib/template-web.js Compromised file inside the art-template npm package where the loadScript() injection was placed SHA-256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c SHA-256 hash of 49554fde7424c31c.js (the primary implant file) SHA-1 8064d4e0322f069b3dba13e7957ff0ca7dab7984 SHA-1 hash of 49554fde7424c31c.js MD5 6e79ae622b7ef30f31fdbcc2dc65339e MD5 hash of 49554fde7424c31c.js String / Session Key cecd08aa6ff548c2 Session key used by implant to derive remote payload module URLs via content-addressed SHA-256 hashing String / Campaign Code CHMK6IG08F42496C22 Campaign tracking code beaconed to C2 with every victim check-in Package Version pkg:npm/art-template@4.13.3 First backdoored version using String.fromCharCode encoding to hide loader Package Version pkg:npm/art-template@4.13.5 Backdoored version with plaintext loadScript() injection pointing to jiathis domain Package Version pkg:npm/art-template@4.13.6 Backdoored version with updated plaintext loadScript() injection Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News 3 Tactics Elite SOCs Use to Operationalize Threat Intelligence Critical SEPPmail Gateway Flaws Allow Remote Code Execution and Mail Traffic Theft New NGINX Vulnerability Allows Remote Attackers to Trigger Malicious Code Microsoft Confirms Windows 11 Update Fails With Error 0x800f0922 DevilNFC Android Malware Uses Kiosk Mode to Trap Victims During NFC Relay Attacks Latest News Cyber Security News Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files Cyber Security News Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation Cyber Security LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access Cyber Security News CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog Cyber Security News Deleted Google API Keys Continue Accessing Gemini, BigQuery, and Maps APIs
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗