Cybersecurity researchers have discovered four malicious npm packages embedding infostealer malware and a Phantom Bot DDoS payload — one of which is a direct clone of the Shai-Hulud worm open-sourced by the TeamPCP threat group. The discovery underscores the immediate real-world consequences of releasing self-replicating worm source code into the open: within days, copycat variants began appearing in public package registries.
The Four Malicious Packages
| Package Name | Downloads | Payload |
|---|---|---|
chalk-tempalte | ~825 | Infostealer |
@deadcode09284814/axios-util | ~284 | Shai-Hulud clone / DDoS |
| (additional packages) | — | Infostealer / DDoS |
| (additional packages) | — | Infostealer / DDoS |
The typosquatted package names — most notably chalk-tempalte (a misspelling of the legitimate chalk-template with over 7 million weekly downloads) — are designed to trick developers into installing malicious code through confusion with trusted libraries.
What the Malware Does
Infostealer Payload
The infostealer component targets developer workstations and CI/CD environments, extracting:
- Browser credentials — saved passwords, session cookies, and autofill data from Chrome, Firefox, and Edge
- Environment variables — API keys, cloud credentials (
AWS_ACCESS_KEY_ID,GITHUB_TOKEN, etc.) stored in.envfiles - SSH keys — private keys from
~/.ssh/directories - npm tokens — authentication tokens stored in
.npmrcthat could be used to publish malicious packages under the victim's identity - Git configuration — remote repository URLs and cached credentials
Phantom Bot DDoS Component
The Phantom Bot payload establishes a persistent backdoor that registers the compromised system as a node in a distributed botnet capable of launching volumetric DDoS attacks. The bot:
- Connects to a command-and-control (C2) server over encrypted channels
- Awaits instructions to participate in flood attacks against specified targets
- Maintains persistence via cron jobs or startup scripts
Shai-Hulud Clone Behavior
The Shai-Hulud clone replicates the self-spreading mechanism originally developed by TeamPCP: upon installation, it scans the victim's npm project for package.json files, injects itself as a dependency, and — if the victim has npm publish permissions — automatically publishes infected versions of the victim's packages to the npm registry, continuing the chain of infection.
The TeamPCP Open-Source Gambit
On May 15, 2026, TeamPCP released the full Shai-Hulud source code publicly — ostensibly as a demonstration of capability after weeks of attacks targeting Tanstack, Mistral AI, Guardrails AI, and others. The move was widely interpreted as an attempt to:
- Amplify damage without directly attributing future attacks to the group
- Overwhelm incident response capacity by flooding the npm registry with copycat variants
- Establish a reputation in the threat actor community for audacious tactics
The appearance of worm clones within days of the source code release confirms that the gambit succeeded in spawning derivative campaigns.
Affected Developers and Organizations
The malicious packages primarily threaten:
- JavaScript/Node.js developers who install packages from npm without verifying checksums or publisher identity
- CI/CD pipeline environments where npm install runs automatically on dependency updates
- Organizations with weak secret management that store credentials in environment variables accessible to build processes
- Open-source maintainers whose npm tokens could be harvested to publish further malicious packages
Immediate Mitigations
- Audit your
node_modules— check installed packages against their expected checksums usingnpm auditand tools likesocket.dev - Rotate npm tokens — revoke and reissue all npm authentication tokens, especially if you run automated publish workflows
- Inspect
package-lock.json— verify that no unexpected packages were added to your lock file - Enable npm two-factor authentication — require 2FA for all npm publish operations on your packages
- Review
.npmrcfiles — ensure no authentication tokens are committed to repositories or accessible to build environments - Monitor for typosquatting — use
npm install --dry-runbefore executing installs in new environments and verify package names character-by-character
The Broader npm Typosquatting Threat
This campaign is the latest in a sustained wave of npm supply chain attacks:
| Campaign | Date | Packages | Targets |
|---|---|---|---|
| Shai-Hulud original | Mar–May 2026 | Tanstack, Mistral AI, SAP | Developer credentials |
| Axios npm compromise | Apr 2026 | axios | Node.js credential theft |
| SAP npm packages | Apr 2026 | SAP-related packages | Enterprise credentials |
| This campaign | May 2026 | chalk-tempalte, axios-util | Infostealers + DDoS |
The npm registry's open publication model makes it an attractive attack surface. Organizations should treat the software supply chain as a first-class security boundary — applying the same scrutiny to npm packages as to any other third-party software.