Unmasking the npm Supply Chain: A Dual-Pronged Attack Trajectory

Threat actors actively compromise the npm ecosystem. This targets your developer environments. A sophisticated campaign combines hijacked established packages with cunningly crafted typosquats. They deliver evasive infostealers, potent GoLang-based DDoS botnets, and unobfuscated worm clones. You need immediate action to secure your stack.

Identify vulnerable node-ipc versions or detect DNS TXT exfiltration now.

npm list node-ipc

Or, for network anomaly detection:

title: DNS TXT Record Anomalous Outbound
id: 5a9b7c8d-e0f1-4a2b-8c3d-4e5f6a7b8c9d
status: experimental
description: Detects unusual outbound DNS queries for TXT records, indicative of data exfiltration.
author: Your Security Team
logsource:
  product: network
  service: dns
detection:
  selection:
    _DNS_QUERY_TYPE: TXT
    _DNS_QUERY_FQDN|endswith:
      - '.azurestaticprovider.net'
      - '.lhr.life'
  condition: selection
level: high

This article dissects the vectors, payload execution, and data exfiltration methods in these live campaigns. It provides actionable remediation steps.

The Logic of the Breach: Compromised node-ipc

The node-ipc module is fundamental for Inter-Process Communication (IPC). It facilitates communication via Unix sockets, Windows named pipes, and TCP/UDP networking. Threat actors compromised versions 9.1.6, 9.2.3, and 12.0.1. This is not node-ipc‘s first security incident; CVE-2022-23812 highlights a previous “protestware” campaign. This new compromise signifies a targeted attack.

The malicious payload resides as obfuscated code. You find it at the bottom of the node-ipc.cjs file. Deobfuscation reveals its specific targets. The malware focuses on macOS environments. It systematically scans your ~/Library directory. The stealer meticulously extracts sensitive session files, cookies, and configuration data. It targets a broad array of developer tools and applications.

Consider the depth of data compromised:

• AI Assistants: Claude Code and Kiro data.
• Infrastructure & Cloud: AWS, GCP, Azure credentials, Terraform configurations, Docker secrets, Kubernetes manifests, Helm charts, and Ansible playbooks.
• Applications: Firefox browser data, Microsoft Teams session tokens, FileZilla credentials, and MySQL history logs.

This comprehensive targeting highlights the adversary’s intent. They aim to achieve maximum lateral movement and persistence within your development and cloud environments.

Packet-Level Analysis: Evasive DNS TXT Exfiltration

Standard HTTP POST requests are easy targets. Network monitoring tools quickly flag them. This malware employs a far more evasive technique for data exfiltration. It leverages the DNS TXT protocol.

Here is how it works:

1. Fragmentation: The malware fragments stolen data into small packets.
2. DNS Queries: It embeds these data fragments into DNS queries. Specifically, it uses the query portion of a DNS request.
3. C2 Communication: These crafted DNS queries transmit to the Command and Control (C2) server, sh[.]azurestaticprovider[.]net.
4. Mimicry: This domain intentionally mimics legitimate Microsoft Azure infrastructure. This helps it evade security scanner detection.
5. Reassembly: The C2 server utilizes specific logic to reassemble these fragmented data packets.

This method is highly effective for bypassing traditional firewalls and intrusion detection systems. Many organizations allow outbound DNS traffic on Port 53 by default. They often do not inspect the contents of DNS queries for anomalies. Deep Packet Inspection (DPI) is necessary to catch this. You need to analyze the length and content of DNS query strings. Unusually long or malformed DNS queries can indicate data exfiltration.

For example, a typical DNS A record query for example.com is short. A DNS TXT exfiltration query might look like part1.part2.part3.stolen_data_chunk.sh[.]azurestaticprovider[.]net. This pattern is highly unusual.

The Parallel Threat: Typosquatting Operations

A parallel campaign amplifies the threat. A single npm user account, deadcode09284814, orchestrates it. This actor drew inspiration from a recent supply chain attack competition on BreachForums. They deployed four malicious packages. Each carries a distinctly different payload.

Shai-Hulud’s Resurgence: The chalk-tempalte Worm Clone

The chalk-tempalte package delivers an exact, unobfuscated clone of the Shai-Hulud worm source code. TeamPCP recently leaked this code. This signifies rapid weaponization of public exploit code.

Its primary functionality includes:

• Credential Harvesting: It harvests credentials from the victim’s system.
• Data Transmission: It transmits these stolen credentials to 87e0bbc636999b[.]lhr[.]life.
• Propagation Mechanism: It leverages stolen GitHub API tokens. These tokens allow it to automatically create new public repositories on the victim’s GitHub account. It tags these repositories with the description “A Mini Sha1-Hulud has Appeared”. This serves as both a propagation mechanism and a subtle indicator of compromise.

Your GitHub activity logs can reveal this. Monitor for sudden, unauthorized repository creation.

Phantom Bot’s Volumetric Assault: The axois-utils DDoS Payload

The axois-utils package shifts focus from data theft to infrastructure disruption. It drops a GoLang-based distributed denial-of-service (DDoS) botnet known as Phantom Bot.

This botnet achieves cross-platform persistence:

• Windows: It modifies the Windows Startup folder. It creates scheduled tasks.
• Linux: It creates scheduled tasks on Linux systems.

Once active, Phantom Bot can launch severe volumetric attacks. It targets network services and applications. This includes:

• HTTP Attacks: Flooding web servers with requests.
• TCP Attacks: SYN floods, full connection floods.
• UDP Attacks: UDP floods, often used to overwhelm DNS servers.
• Reset Attacks: Sending TCP RST packets to tear down active connections.

This payload aims for maximum network disruption. Its GoLang basis makes it efficient and cross-platform. This allows for wider deployment across diverse target environments.

Aggressive Infostealers: @deadcode09284814/axios-util and color-style-utils

Two additional packages from the same actor function as aggressive information stealers.

• @deadcode09284814/axios-util: This package specifically targets critical development and cloud credentials. It extracts SSH keys, environment variables, and cloud credentials (AWS, GCP, Azure). It routes all stolen data to 80[.]200[.]28[.]28:2222. Note the non-standard Port 2222 for exfiltration. While less common, it still represents a direct outbound connection you must block.

• color-style-utils: This stealer focuses on financial assets and reconnaissance. It extracts cryptocurrency wallet data. It also gathers IP geolocation information. It exfiltrates this data to edcf8b03c84634[.]lhr[.]life.

These packages demonstrate the actor’s varied monetization strategies. They target both enterprise cloud assets and individual developer crypto holdings. The sophistication of these techniques, from DNS tunneling to multi-platform persistence, underscores a mature threat landscape. An expert tracking these developments noted the overall quality and adaptability of the adversary’s toolkit, affirming “it is good” that organizations are bolstering their defenses with such detailed analyses.

Technical Remediation: Protecting Your Stack

Immediate and thorough action is crucial. You must address both active infections and prevent future compromises.

Step-by-Step Incident Response

1. Package Management and Removal:

   • Downgrade node-ipc: Immediately revert node-ipc to a known safe version. bash npm uninstall node-ipc npm install node-ipc@12.0.0
   • Uninstall Malicious Packages: Completely remove all identified typosquatted packages. bash npm uninstall chalk-tempalte npm uninstall axois-utils npm uninstall @deadcode09284814/axios-util npm uninstall color-style-utils
   • Scan for Transitive Dependencies: Ensure these packages are not lingering as transitive dependencies. Use npm audit and npm ls extensively. bash npm audit npm ls --all | grep "chalk-tempalte" # Repeat for all malicious packages

2. Credential Rotation and Access Revocation:

   • Full Compromise Assumption: Treat any machine that executed these packages as fully compromised.
   • Revoke All Keys: Revoke all SSH keys associated with the compromised machine. Generate new key pairs.
   • Cloud Tokens: Invalidate and rotate all AWS, GCP, Azure, and other cloud provider tokens or API keys.
   • Environment Variables: Review and sanitize all environment variables. Replace any sensitive data stored there.
   • GitHub API Keys: Revoke all GitHub API tokens. Check your GitHub account for unauthorized activity.
   • Enforce 2FA: If not already in place, enforce Two-Factor Authentication (2FA) across all critical accounts.

3. Environment Sanitization and Forensics:

   • IDE and AI Agents: Inspect configurations within your Integrated Development Environments (IDEs) and AI coding agents (e.g., Claude Code, Kiro). Look for injected malicious configurations or unauthorized script inclusions.
   • GitHub Audit: Audit your GitHub accounts. Search for unauthorized repository creation matching the “A Mini Sha1-Hulud has Appeared” signature. Remove any found repositories.
   • System Integrity Check: Perform a full system integrity check. Look for persistence mechanisms, new users, or modified system files.
   • DNS Cache Flush: Clear DNS caches on affected systems to remove any cached malicious records. bash sudo dscacheutil -flushcache; sudo killall -HUP mDNSResponder # macOS ipconfig /flushdns # Windows sudo systemd-resolve --flush-caches # Linux (systemd-resolved)

4. Network Blocking and Monitoring:

   • Block C2 Infrastructure: Block all egress traffic to the identified C2 infrastructure at your firewall and DNS resolvers. sh[.]azurestaticprovider[.]net 87e0bbc636999b[.]lhr[.]life b94b6bcfa27554[.]lhr[.]life edcf8b03c84634[.]lhr[.]life 80[.]200[.]28[.]28 # Block both IP and Port 2222
   • DNS Policy: Implement a strict DNS policy. Block all outbound DNS queries to non-approved external DNS resolvers. Implement DNS sinkholing for known malicious domains.
   • Traffic Inspection: Configure network intrusion detection/prevention systems (NIDS/NIPS) to perform deep packet inspection. Specifically, look for unusually long DNS TXT queries or queries to the listed C2 domains.

Proactive Defense Strategies for Your Enterprise Stack

Protecting against supply chain attacks requires a multi-layered approach.

1. Software Supply Chain Security:

   • Dependency Scanning: Integrate automated dependency scanning tools (e.g., Snyk, Dependabot, Renovate) into your CI/CD pipelines. This helps identify known vulnerabilities and malicious packages early.
   • SBOM Generation: Generate Software Bill of Materials (SBOMs) for all your applications. This provides visibility into your complete dependency tree.
   • Registry Monitoring: Monitor public package registries for suspicious activity or newly published packages with high similarity scores to legitimate ones.

2. Endpoint Detection & Response (EDR):

   • Deploy robust EDR solutions across all developer workstations and servers.
   • Configure EDRs to detect anomalous process behavior, unauthorized file access to sensitive directories (~/Library), and unusual network connections. Focus on processes initiating DNS TXT queries of suspicious lengths or to unknown domains.

3. Network Segmentation and Monitoring:

   • Zero Trust Architecture: Implement a Zero Trust network architecture. Segment your developer networks from production environments. Enforce granular access controls.
   • Egress Filtering: Implement strict egress filtering. Allow only necessary outbound traffic. Block all suspicious ports and protocols. Ensure outbound Port 53 traffic is inspected.
   • Deep Packet Inspection (DPI): Utilize DPI capable firewalls or proxies. Inspect DNS query contents for anomalies, unusual lengths, or TXT record misuse.

4. Cloud Security Posture Management (CSPM):

   • Regularly audit your cloud configurations using CSPM tools.
   • Monitor for unauthorized credential usage, unusual API calls, or changes in resource policies in AWS, GCP, and Azure environments.
   • Enforce Principle of Least Privilege for all cloud identities.

5. Kubernetes Specifics (Leveraging ECK):

   • Image Scanning: Integrate container image scanning into your CI/CD pipeline. Scan for malicious packages or known vulnerabilities within your container images.
   • Admission Controllers: Implement Kubernetes Admission Controllers. Enforce policies like only allowing images from trusted registries. Prevent the deployment of pods containing known vulnerable packages.
   • Network Policies: Define strict Kubernetes Network Policies. Control egress traffic from pods. Ensure pods can only communicate with approved external services. Block all outbound DNS TXT queries to unauthorized endpoints.
   • Centralized Logging and Monitoring (ECK): Leverage Elastic Cloud on Kubernetes (ECK) to centralize all Kubernetes logs (pod logs, audit logs, network flow logs). Create detection rules within your Elastic Stack. Look for:
     • Unusual process execution inside containers.
     • Egress connections from pods to the identified C2s.
     • High volumes of DNS TXT queries from specific pods.
     • Creation of new scheduled tasks or modifications to startup folders within containers (if phantom_bot were to infect a container).

6. Incident Response and Malware Analysis (Using FlareVM):

   • Malware Analysis Environment: Maintain a dedicated malware analysis environment. Utilize tools like FlareVM.
   • Dynamic Analysis: If a suspicious package is identified, detonate it within FlareVM. Observe its network communications, file system modifications, and process behavior.
   • Static Analysis: Use FlareVM’s tools for static analysis. Deobfuscate scripts. Reverse engineer binaries. Understand the full payload functionality.

Indicators of Compromise (IOCs)

Block and monitor for these indicators within your environment:

Domains:

• sh[.]azurestaticprovider[.]net
• 87e0bbc636999b[.]lhr[.]life
• b94b6bcfa27554[.]lhr[.]life
• edcf8b03c84634[.]lhr[.]life

IP Addresses:

• 80[.]200[.]28[.]28

NPM Packages:

• node-ipc (versions 9.1.6, 9.2.3, 12.0.1)
• chalk-tempalte
• axois-utils
• @deadcode09284814/axios-util
• color-style-utils

GitHub Signature:

• Repository description: “A Mini Sha1-Hulud has Appeared”

Your proactive defense and rapid response are paramount. Attackers continuously refine their methods. You must stay vigilant.