"One of the packages (chalk-tempalte) contains a direct clone of the Shai-Hulud source code that TeamPCP leaked last week, probably inspired as part of the supply chain attack competition that was published in BreachForums not long after,"
"The actor took the code, and almost without any change at all -- uploaded a working version with its own C2 server and private key into npm. "The stolen credentials are sent to the remote C2 server -- 87e0bbc636999b.lhr[.]life""
"An analysis of the packages has revealed that "axois-utils" is designed to deliver a Golang-based distributed denial-of-service (DDoS) botnet called Phantom Bot, with capabilities to flood a target website using HTTP, TCP, and UDP protocols. It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task."
"In addition, the data is exported to a new GitHub public repository using the stolen GitHub token via the API. The repository is given the description "A Mini Sha1-Hulud has Appeared." The remaining three drop a stealer payload on compromised systems."
Four npm packages were identified as containing information-stealing malware. One package, chalk-tempalte, contains a direct clone of the Shai-Hulud worm source code leaked by TeamPCP. The cloned code was uploaded with minimal changes, including its own command-and-control server and private key. Stolen credentials are sent to a remote C2 server at 87e0bbc636999b.lhr[.]life. The stolen data is also exported to a new public GitHub repository using a stolen GitHub token via the API, with the repository described as “A Mini Sha1-Hulud has Appeared.” Another package, axois-utils, delivers a Golang-based Phantom Bot DDoS botnet that floods targets using HTTP, TCP, and UDP and persists via Windows Startup folder and scheduled tasks. The remaining packages drop stealer payloads on compromised systems.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]