Security researchers have identified a fresh wave of malicious packages targeting the npm ecosystem, specifically designed to compromise development and build environments. Four distinct packages—chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils—have been confirmed to deliver information-stealing payloads and DDoS botnet agents, including a clone of the Shai-Hulud worm.
For defenders, this represents a critical supply-chain risk. The attackers are employing typosquatting techniques (e.g., axois-utils vs. the legitimate axios-utils) to trick developers into installing malware during routine dependency management. Once installed, these packages execute post-install scripts that facilitate data exfiltration or enroll the host in botnet operations. Immediate auditing of your package. manifests and build pipelines is required to prevent persistence and data loss.
Technical Analysis
Affected Products and Platforms:
- Platform: Node.js runtime environments (Windows, Linux, macOS).
- Registry: Public npm registry.
- Affected Packages:
chalk-tempalte(825 Downloads)@deadcode09284814/axios-util(284 Downloads)axois-utils(963 Downloads)color-style-utils(934 Downloads)
Attack Chain and Mechanism:
The attack vector relies on dependency confusion and typosquatting. A developer or CI/CD pipeline runs npm install or yarn add referencing one of the malicious package names. Upon installation, the package executes a postinstall script (a legitimate npm feature often abused by malware authors). This script triggers the download and execution of a secondary payload.
- Infostealers: The malware targets browser data, cryptocurrency wallets, and system credentials.
- Phantom Bot / Shai-Hulud Clone: The
chalk-tempaltepackage specifically includes code associated with the Shai-Hulud worm, adapted for DDoS activities. This allows the compromised host to participate in volumetric attacks against third-party targets.
Exploitation Status: Active. These packages were recently published and have accumulated downloads. The packages are currently being removed from the registry, but any environment that has already installed them remains compromised until the artifacts are deleted and the node is cleaned.
Detection & Response
━━━ DETECTION CONTENT ━━━
The following detection logic focuses on the installation mechanics of these specific packages. Defenders should hunt for the execution of npm/yarn processes containing these specific package names in the command line arguments.
---
title: Potential Installation of Malicious npm Package (Chalk/Phantom Bot)
id: 8a2b1c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
status: experimental
description: Detects the installation of the malicious 'chalk-tempalte' package or related typosquats associated with Phantom Bot and infostealers.
references:
- https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: windows
detection:
selection_npm:
Image|endswith:
- '\npm.exe'
- '\npm.cmd'
CommandLine|contains:
- 'chalk-tempalte'
- 'axois-utils'
- 'color-style-utils'
- '@deadcode09284814/axios-util'
selection_yarn:
Image|endswith:
- '\yarn.exe'
- '\yarn.cmd'
CommandLine|contains:
- 'chalk-tempalte'
- 'axois-utils'
- 'color-style-utils'
- '@deadcode09284814/axios-util'
condition: 1 of selection_
falsepositives:
- Legitimate installation of packages with similar names (verify exact spelling)
level: critical
---
title: Linux/macOS npm Installation of Malicious Packages
id: 9b3c2d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the installation of known malicious npm packages on Unix-like systems via shell or npm process.
references:
- https://thehackernews.com/2026/05/four-malicious-npm-packages-deliver.html
author: Security Arsenal
date: 2026/05/12
tags:
- attack.initial_access
- attack.t1195.002
logsource:
category: process_creation
product: linux
detection:
selection:
Image|endswith:
- '/npm'
- '/yarn'
- '/node'
CommandLine|contains:
- 'chalk-tempalte'
- 'axois-utils'
- 'color-style-utils'
- '@deadcode09284814/axios-util'
falsepositives:
- Legitimate development activity
level: critical
// Hunt for npm or yarn process execution containing malicious package names
DeviceProcessEvents
| where Timestamp > ago(7d)
| where (ProcessVersionInfoOriginalFileName in ("npm.exe", "npm", "yarn.exe", "yarn") or FileName in ("npm", "yarn", "node"))
| where CommandLine has_any ("chalk-tempalte", "axois-utils", "color-style-utils", "@deadcode09284814/axios-util")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine = CommandLine, InitiatingProcessFileName, FolderPath
// Hunt for the presence of malicious package directories in node_modules
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/node_modules/chalk-tempalte/**")
UNION ALL
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/node_modules/axois-utils/**")
UNION ALL
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/node_modules/color-style-utils/**")
UNION ALL
SELECT FullPath, Mtime, Size
FROM glob(globs="/*/node_modules/@deadcode09284814/axios-util/**")
#!/bin/bash
# Remediation script to scan and remove malicious npm packages
# Run this script from the root of your project directories
MALICIOUS_PACKAGES=(
"chalk-tempalte"
"axois-utils"
"color-style-utils"
"@deadcode09284814/axios-util"
)
echo "[+] Scanning for malicious npm packages..."
FOUND=0
for pkg in "${MALICIOUS_PACKAGES[@]}"; do
if [ -d "node_modules/$pkg" ]; then
echo "[!] FOUND: node_modules/$pkg"
FOUND=1
echo "[+] Removing node_modules/$pkg..."
rm -rf "node_modules/$pkg"
fi
# Handle scoped packages manually if needed, structure usually is node_modules/@scope/package
if [[ "$pkg" == @* ]]; then
# Parse scope and name for @deadcode09284814/axios-util
SCOPE="${pkg%%/*}"
NAME="${pkg##*/}"
if [ -d "node_modules/$SCOPE/$NAME" ]; then
echo "[!] FOUND: node_modules/$SCOPE/$NAME"
FOUND=1
echo "[+] Removing node_modules/$SCOPE/$NAME..."
rm -rf "node_modules/$SCOPE/$NAME"
fi
fi
done
if [ $FOUND -eq 1 ]; then
echo "[!] Malicious packages found and removed."
echo "[+] Action Required: Please review package. and package-lock. manually to remove references to these packages."
echo "[+] After cleaning package., run 'npm install' to restore legitimate dependencies."
else
echo "[+] No malicious packages found in current directory."
fi
Remediation
1. Immediate Containment: If your environment is confirmed to be compromised, isolate the affected build agents or developer workstations from the network to prevent data exfiltration or participation in DDoS activities.
2. Package Removal:
Manually inspect package. and package-lock. (or yarn.lock) files. Remove any references to the following packages:
chalk-tempalteaxois-utilscolor-style-utils@deadcode09284814/axios-util
3. Sanitization:
Delete the `node_modules` directory entirely and reinstall dependencies to ensure no residual artifacts remain.
rm -rf node_modules
npm install
**4. Credential Rotation:**
As these packages are infostealers, assume that any credentials, API keys, or tokens stored in environment variables or configuration files on the compromised host during the runtime of the malware have been exfiltrated. Rotate all exposed credentials immediately.
**5. Vendor Advisory:**
Monitor the official npm security advisory feed for updates. While these specific packages have been reported, attackers often re-upload variants under new names. Enforce dependency pinning and review software bills of materials (SBOM) for all production artifacts.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.