← Back to Cybersecurity News Center
Severity
HIGH
CVSS
7.5
Priority
0.790
×
Tip
Pick your view
Analyst for full detail, Executive for the short version.
Analyst
Executive
Executive Summary
A leaked infostealer toolkit called Shai-Hulud has been weaponized by a second, unidentified threat actor who published four malicious packages to the npm registry, targeting Node.js developers who use the Axios HTTP library. The packages steal cloud credentials (AWS, GCP, Azure), cryptocurrency wallet data, and developer secrets, while at least one package also recruits infected machines into a DDoS botnet. Any organization with Node.js development pipelines that installed one of the four typosquatted packages may have exposed cloud infrastructure credentials and is at elevated risk of further compromise.
Impact Assessment
CISA KEV Status
Not listed
Threat Severity
HIGH
High severity — prioritize for investigation
Actor Attribution
HIGH
TeamPCP (original Shai-Hulud authors — attributed, confidence: medium), Unknown second actor (distinct from TeamPCP — unattributed, confidence: medium)
TTP Sophistication
HIGH
11 MITRE ATT&CK techniques identified
Detection Difficulty
HIGH
Multiple evasion techniques observed
Target Scope
INFO
npm packages: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils; Node.js developers; Axios library users; cryptocurrency wallets; cloud configuration credentials (AWS, GCP, Azure config files)
Are You Exposed?
⚠
Your industry is targeted by TeamPCP (original Shai-Hulud authors — attributed, confidence: medium), Unknown second actor (distinct from TeamPCP — unattributed, confidence: medium) → Heightened risk
⚠
You use products/services from npm packages: chalk-tempalte → Assess exposure
⚠
11 attack techniques identified — review your detection coverage for these TTPs
✓
Your EDR/XDR detects the listed IOCs and TTPs → Reduced risk
✓
You have incident response procedures for this threat type → Prepared
Business Context
If a developer workstation or CI/CD pipeline installed one of these packages, cloud infrastructure credentials may be in attacker hands, creating direct risk of cloud account takeover, data exfiltration, and unauthorized resource provisioning that can result in significant financial and operational damage. Cryptocurrency wallets accessible on affected developer machines may have been drained. Organizations in regulated industries whose cloud environments store customer or patient data face potential breach notification obligations if exfiltrated credentials enabled unauthorized data access.
You Are Affected If
Your Node.js projects reference any of these npm packages: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils
Your developers or CI/CD pipelines run npm install without lockfile pinning or a private registry allowlist
Cloud provider credentials (AWS, GCP, or Azure) are stored in plaintext config files on developer machines or build servers
Cryptocurrency wallet files are stored on developer workstations used for npm-based development
You have not audited npm dependency trees since these packages appeared in the registry
Board Talking Points
Attackers published fake developer tools to a public software registry that steal cloud account credentials when installed by our engineering teams.
Security should audit all development and build environments for the four named packages within 24 hours and rotate any exposed cloud credentials immediately.
Without action, stolen cloud credentials could enable unauthorized access to our infrastructure, customer data, or financial resources, with potential breach notification and regulatory consequences.
PCI-DSS — cloud environments storing or processing cardholder data may be accessible via stolen credentials exfiltrated by this campaign
HIPAA — cloud configurations storing ePHI are at risk if credentials were exfiltrated from developer or CI/CD environments with access to covered data
Technical Analysis
Four malicious npm packages were published using typosquatting against the legitimate Axios library: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, and color-style-utils.
The packages carry a modified variant of the Shai-Hulud infostealer, originally developed by the group tracked as TeamPCP, whose source code was leaked publicly on GitHub.
A second, unattributed actor incorporated the leaked code and extended it with a persistent DDoS botnet module.
Payloads execute via CWE-506 (embedded malicious code) upon npm install or import, exfiltrating credentials stored in plaintext config files (CWE-312) without integrity verification (CWE-494). Relevant MITRE ATT&CK techniques include T1195.001 (Compromise Software Supply Chain), T1059.007 (JavaScript execution), T1552.001 (Credentials in Files), T1498 (Network DoS), T1567 /T1567.001 (Exfiltration Over Web Service), and T1071.001 (Application Layer Protocol C2). The attacker acquired the malware source via T1588.001 (Obtain Capabilities: Malware). No CVE has been assigned. A representative CVSS score for the infostealer payload is 7.5, though this campaign-level item is rated editorially as High based on attack scope and exposure conditions. Confidence in full artifact-level details is medium, sourced from BleepingComputer (T3) corroborated by vendor reports from Microsoft, Huntress, Trend Micro, and Cloudsmith. Primary artifact analysis has not been independently confirmed in this session.
Action Checklist IR ENRICHED
Triage Priority:
IMMEDIATE
Escalate immediately to CISO and legal counsel if AWS CloudTrail, GCP Audit Logs, or Azure Activity Log confirm any API calls using the compromised credentials after the install timestamp, or if cryptocurrency wallet files (e.g., Metamask vault, `~/.bitcoin/wallet.dat`) were present on affected systems, as either condition establishes confirmed data exfiltration and may trigger breach notification obligations under applicable data protection regulations.
1
Step 1: Containment, Audit all npm package manifests (package.json and package-lock.json) across dev, CI/CD, and production environments for the four malicious packages: chalk-tempalte, @deadcode09284814/axios-util, axois-utils, color-style-utils. Remove any match immediately and revoke all secrets accessible from affected build environments. Reference: Microsoft advisory on axios npm supply chain compromise (expected publication 2026-04-01; consult Microsoft Security Blog for confirmation).
IR Detail
Containment
NIST 800-61r3 §3.3 — Containment Strategy
NIST IR-4 (Incident Handling)
NIST SI-7 (Software, Firmware, and Information Integrity)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.3 (Address Unauthorized Software)
Compensating Control
Run the following one-liner across all repositories and CI workspaces to surface hits before manual removal: `find . -name 'package.json' -o -name 'package-lock.json' | xargs grep -l 'chalk-tempalte\|axois-utils\|color-style-utils\|@deadcode09284814'`. For CI/CD runners (GitHub Actions, GitLab CI, Jenkins), grep build artifact caches and node_modules directories: `find /home/runner /var/lib/jenkins -type d -name 'chalk-tempalte' -o -name 'axois-utils' 2>/dev/null`. Immediately revoke AWS IAM keys visible in any .env or credentials file on the affected host using `aws iam delete-access-key --access-key-id <KEY>`.
Preserve Evidence
Before removing packages, snapshot the full node_modules directory tree (`ls -laR node_modules/ > node_modules_snapshot.txt`) and capture the resolved dependency tree (`npm ls --all > npm_tree.txt`). Preserve the original package-lock.json with file hash (`sha256sum package-lock.json`) as tamper evidence. If the malicious package was executed, capture a process list (`ps aux` or `Get-Process`) and active network connections (`ss -tunp` or `netstat -ano`) before killing any processes, since Shai-Hulud payloads establish outbound C2 connections at install time.
2
Step 2: Detection, Search npm install logs, CI/CD pipeline logs, and SIEM telemetry for installs of the four package names. Look for outbound HTTP/HTTPS connections to unknown endpoints initiated by Node.js processes at install time (T1071.001). Check for unexpected reads of ~/.aws/credentials, ~/.config/gcloud/, Azure config directories, and cryptocurrency wallet files. Behavioral indicators include JavaScript spawning shell processes (T1059.007) and bulk file reads followed by outbound POST requests.
IR Detail
Detection & Analysis
NIST 800-61r3 §3.2 — Detection and Analysis
NIST IR-5 (Incident Monitoring)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
CIS 8.2 (Collect Audit Logs)
Compensating Control
Without a SIEM, use osquery to hunt for file access artifacts: `SELECT * FROM file WHERE path LIKE '/home/%/.aws/credentials' AND atime > (SELECT strftime('%s','now','-7 days'));`. On Linux developer workstations, use auditd rules to detect reads of credential files: `auditctl -w /home -p r -k shai_hulud_cred_access`. For network detection, run Wireshark or tcpdump during a controlled npm install in an isolated VM: `tcpdump -i eth0 -w shai_hulud_capture.pcap 'host not <your_registry_ip>'`. Deploy the Sigma rule concept manually: parse CI/CD logs (e.g., GitHub Actions runner logs at `~/.local/share/github-runner/_diag/`) for lines containing any of the four package names alongside timestamps, then correlate with firewall or proxy logs for outbound POSTs from the same host within a 60-second window.
Preserve Evidence
Pull npm install logs from CI runners — on GitHub Actions these are stored in the workflow run logs and locally in `~/.npm/_logs/`. Check Node.js process audit trail: on Linux, auditd syscall logs (event type EXECVE) will show `node` spawning `sh` or `bash` child processes (ATT&CK T1059.007) if Shai-Hulud's postinstall script executed. On Windows developer machines, query Sysmon Event ID 1 (Process Create) for `node.exe` parent with `cmd.exe` or `powershell.exe` child. Capture DNS query logs or proxy logs for domains resolved by `node` processes during the install window, as the Shai-Hulud infostealer component exfiltrates via outbound POST to a hardcoded C2. Access-time metadata on `~/.aws/credentials`, `~/.config/gcloud/application_default_credentials.json`, and any `.env` files is direct evidence of credential harvesting.
3
Step 3: Eradication, Remove the malicious packages using npm uninstall for each identified package. Rotate all cloud credentials (AWS IAM keys, GCP service account keys, Azure service principals) that were present on any system where the packages were installed. Rotate any API keys, tokens, or secrets stored in environment files accessible during the compromised build. Verify the legitimate axios package version in use is sourced from the official registry and matches expected hashes via npm audit.
IR Detail
Eradication
NIST 800-61r3 §3.4 — Eradication
NIST IR-4 (Incident Handling)
NIST SI-2 (Flaw Remediation)
NIST AC-2 (Account Management)
CIS 5.3 (Disable Dormant Accounts)
CIS 7.2 (Establish and Maintain a Remediation Process)
Compensating Control
For credential rotation without enterprise tooling: AWS — use `aws iam list-access-keys --user-name <user>` to enumerate all keys on affected IAM identities, then `aws iam delete-access-key` for each compromised key and `aws iam create-access-key` for replacement; enable AWS CloudTrail and immediately run `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=AssumeRole` to detect any lateral movement using stolen keys before rotation. GCP — revoke service account keys via `gcloud iam service-accounts keys delete <KEY_ID> --iam-account=<SA>`. For lockfile integrity verification without a paid registry: `npm ci --ignore-scripts` with a pinned package-lock.json prevents postinstall script execution during reinstall; verify axios integrity with `npm view axios dist.tarball` and compare `sha512` integrity field in package-lock.json against the published registry value.
Preserve Evidence
Before rotating credentials, document all currently active AWS IAM access keys (`aws iam list-users | xargs -I{} aws iam list-access-keys --user-name {}`), GCP service account keys (`gcloud iam service-accounts keys list`), and Azure service principal secrets (`az ad sp credential list`) as a baseline for post-rotation comparison. Preserve any `.env`, `.envrc`, or CI/CD environment variable exports that were readable during the compromised build — these define the exact secret scope that was accessible to the Shai-Hulud payload. Verify npm cache integrity: malicious packages may persist in `~/.npm/_cacache/`; enumerate with `npm cache verify` and cross-reference cached package hashes against the four known-bad package names.
4
Step 4: Recovery, After credential rotation, verify no unauthorized IAM users, roles, or cloud resources were created (T1136.003) using cloud provider audit logs (AWS CloudTrail, GCP Audit Logs, Azure Activity Log). Monitor for anomalous outbound traffic patterns consistent with DDoS botnet C2 beaconing. Confirm CI/CD pipelines rebuild from clean dependency lockfiles. Run npm audit on all affected projects post-remediation.
IR Detail
Recovery
NIST 800-61r3 §3.5 — Recovery
NIST IR-4 (Incident Handling)
NIST AU-6 (Audit Record Review, Analysis, and Reporting)
NIST SI-4 (System Monitoring)
CIS 7.3 (Perform Automated Operating System Patch Management)
CIS 7.4 (Perform Automated Application Patch Management)
Compensating Control
Query AWS CloudTrail (free, enabled by default for management events in us-east-1) for unauthorized account creation: `aws cloudtrail lookup-events --lookup-attributes AttributeKey=EventName,AttributeValue=CreateUser --start-time <incident_window_start>`. For DDoS botnet C2 detection without a SIEM, use Wireshark or tcpdump to capture 30 minutes of outbound traffic from affected hosts and look for periodic beaconing patterns (regular interval connections to a single external IP, characteristic of the color-style-utils DDoS recruiter component). Write a Sigma-style detection as a cron job that tails `/var/log/syslog` or Windows Event Log (Event ID 5156, Network Connection) for `node.exe` making connections to IPs not in your npm registry or CDN allowlist. For CI/CD pipeline verification, enforce `npm ci` (which requires and validates package-lock.json) over `npm install` in all pipeline definitions, and add `--ignore-scripts` flag to block postinstall execution during recovery builds.
Preserve Evidence
Pull AWS CloudTrail event history filtered to the time window between initial malicious package install and credential rotation — specifically query for `CreateUser`, `CreateRole`, `AttachRolePolicy`, `RunInstances`, and `CreateBucket` API calls originating from the compromised IAM key. In GCP Audit Logs, filter for `google.iam.admin.v1.CreateServiceAccount` and `google.iam.admin.v1.SetIAMPolicy` events. For DDoS botnet persistence, check for cron entries (`crontab -l`, `/etc/cron.d/`, `/var/spool/cron/`) or systemd unit files added post-install, as the color-style-utils botnet recruiter may establish persistence to survive a simple npm uninstall. Capture current network connection state (`ss -tunp | grep node`) as a clean-state baseline for comparison during the monitoring window.
5
Step 5: Post-Incident, This campaign exposes gaps in dependency vetting and supply chain integrity verification. Implement controls including: npm package allowlisting or private registry mirroring; automated typosquatting detection in CI pipelines; Subresource Integrity or lockfile pinning enforcement; developer secrets management (replace plaintext config files with secrets managers). Map gaps to CIS Control 2 (Inventory and Control of Software Assets) and NIST SP 800-161 (Supply Chain Risk Management).
IR Detail
Post-Incident
NIST 800-61r3 §4 — Post-Incident Activity
NIST IR-4 (Incident Handling)
NIST IR-8 (Incident Response Plan)
NIST SI-7 (Software, Firmware, and Information Integrity)
NIST SI-2 (Flaw Remediation)
CIS 2.1 (Establish and Maintain a Software Inventory)
CIS 2.2 (Ensure Authorized Software is Currently Supported)
CIS 7.1 (Establish and Maintain a Vulnerability Management Process)
Compensating Control
For teams without a private registry budget: configure npm to use an `.npmrc` file with `audit=true` and `fund=false` and add a pre-install hook using `npx npm-audit-resolver` to block known-bad packages. Implement free typosquatting detection in CI by scripting a Levenshtein distance check against your approved package list — a 50-line Python script using the `difflib` module can flag packages within edit-distance 2 of known-good names (would have caught `chalk-tempalte` vs `chalk-template` and `axois-utils` vs `axios`). Replace plaintext `~/.aws/credentials` files with `aws configure --profile` using IAM roles for EC2/container workloads (free), or HashiCorp Vault open-source edition for developer secrets. Add a YARA rule to your CI pipeline to scan node_modules at build time for known Shai-Hulud payload strings (e.g., credential path patterns like `/.aws/credentials`, `gcloud`, `metamask`) using `yara -r shai_hulud.yar ./node_modules/`.
Preserve Evidence
Compile the full timeline of the incident for the lessons-learned record: first install timestamp from npm logs, first credential access timestamp from auditd or Sysmon, first outbound exfiltration connection from network logs, and rotation timestamp from cloud provider audit logs. Preserve copies of the four malicious package tarballs (if recoverable from npm cache at `~/.npm/_cacache/`) for internal YARA rule development targeting Shai-Hulud payload signatures. Document which developer workstations and CI runners had the plaintext credential files accessible, as this defines the exact data exposure scope for any required breach notification assessment.
Recovery Guidance
After credential rotation, maintain heightened monitoring of all newly issued cloud credentials and CI/CD pipeline executions for a minimum of 30 days, as Shai-Hulud-sourced campaigns have demonstrated persistence mechanisms (cron, systemd) that survive package removal and may re-establish C2 contact using pre-staged credentials or tokens not covered by the initial rotation. Verify clean rebuild by running `npm ci --ignore-scripts` on all affected projects from a fresh working directory and confirming `npm audit` returns zero high/critical findings against the restored lockfile. Specifically validate that no npm scripts in the dependency tree reference external URLs or spawn shell commands, using `npm audit --json | jq '.metadata'` and manual review of `scripts` fields in all first-level dependency package.json files.
Key Forensic Artifacts
npm install logs and CI/CD pipeline stdout/stderr logs containing install timestamps for chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils — typically found at ~/.npm/_logs/ on developer workstations and in CI runner job logs (GitHub Actions: workflow run logs; Jenkins: build console output at $JENKINS_HOME/jobs/<job>/builds/<n>/log)
File access-time (atime) metadata on ~/.aws/credentials, ~/.config/gcloud/application_default_credentials.json, ~/.azure/accessTokens.json, and any .env files in the project root — a modified atime within seconds of the npm install timestamp is direct evidence that the Shai-Hulud infostealer payload accessed these files
Sysmon Event ID 1 (Process Create) or auditd EXECVE records showing node.exe or node spawning sh, bash, cmd.exe, or powershell.exe as a child process during the npm install window — this is the behavioral signature of Shai-Hulud's postinstall script execution (ATT&CK T1059.007)
Network flow records or pcap captures showing outbound HTTP POST requests from node processes to non-npm-registry endpoints during or immediately after install, particularly to hardcoded C2 IPs or domains embedded in the Shai-Hulud toolkit — these represent the credential exfiltration channel (ATT&CK T1071.001)
AWS CloudTrail management event logs, GCP Admin Activity audit logs, and Azure Activity Log entries for the IAM/identity actions CreateUser, CreateRole, AttachRolePolicy, AssumeRole (AWS), CreateServiceAccount, SetIAMPolicy (GCP), and New-AzADServicePrincipal (Azure) occurring after the install timestamp and before credential rotation — these confirm whether the stolen credentials were actively leveraged for cloud account persistence (ATT&CK T1136.003)
Detection Guidance
Search package manifests and install logs for exact matches on: chalk-tempalte (note the transposed letters vs legitimate chalk-template), @deadcode09284814/axios-util, axois-utils, color-style-utils.
In SIEM or EDR, query for Node.js processes (node, npm) making outbound connections to non-allowlisted IPs or domains at install time.
Flag file access events targeting credential paths: ~/.aws/credentials, ~/.azure/, ~/.config/gcloud/application_default_credentials.json, and common cryptocurrency wallet paths.
Alert on JavaScript processes spawning child processes (sh, bash, cmd) unexpectedly. For DDoS botnet indicators, look for Node.js processes generating high-volume outbound UDP or TCP traffic to rotating IP ranges. IOC-level indicators (specific C2 domains, hashes) were not confirmed in session-accessible sources; consult the Microsoft and Huntress advisories linked in sources for artifact-level IOCs.
Indicators of Compromise (4)
Export as
Splunk SPL
KQL
Elastic
Copy All (4)
4 domains
Type Value Enrichment Context Conf.
⌘ DOMAIN
chalk-tempalte (npm package name)
VT
US
Typosquatted npm package carrying Shai-Hulud infostealer variant
MEDIUM
⌘ DOMAIN
@deadcode09284814/axios-util (npm package name)
VT
US
Typosquatted npm package carrying Shai-Hulud infostealer variant
MEDIUM
⌘ DOMAIN
axois-utils (npm package name)
VT
US
Typosquatted npm package carrying Shai-Hulud infostealer variant
MEDIUM
⌘ DOMAIN
color-style-utils (npm package name)
VT
US
Typosquatted npm package carrying Shai-Hulud infostealer variant with DDoS botnet module
MEDIUM
Platform Playbooks
Microsoft Sentinel / Defender
CrowdStrike Falcon
AWS Security
🔒
Microsoft 365 E3
3 log sources
Basic identity + audit. No endpoint advanced hunting. Defender for Endpoint requires separate P1/P2 license.
🛡
Microsoft 365 E5
18 log sources
Full Defender suite: Endpoint P2, Identity, Office 365 P2, Cloud App Security. Advanced hunting across all workloads.
🔍
E5 + Sentinel
27 log sources
All E5 tables + SIEM data (CEF, Syslog, Windows Security Events, Threat Intelligence). Analytics rules, playbooks, workbooks.
MITRE ATT&CK Hunting Queries (4)
Sentinel rule: Encoded command execution
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where ProcessCommandLine matches regex @"[A-Za-z0-9+/]{50,}={0,2}"
or ProcessCommandLine has_any ("-enc ", "-encodedcommand", "frombase64string", "certutil -decode")
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "certutil.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Suspicious file execution from downloads
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FolderPath has_any ("\\Downloads\\", "\\Temp\\", "\\AppData\\Local\\Temp\\")
| where FileName endswith_any (".exe", ".scr", ".bat", ".ps1", ".vbs", ".js", ".hta", ".msi")
| where InitiatingProcessFileName in~ ("explorer.exe", "outlook.exe", "chrome.exe", "msedge.exe")
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, ProcessCommandLine, AccountName
| sort by Timestamp desc
Sentinel rule: Unusual C2 communication patterns
KQL Query Preview
Read-only — detection query only
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemotePort in (80, 443, 8080, 8443)
| where InitiatingProcessFileName !in~ ("chrome.exe", "msedge.exe", "firefox.exe", "teams.exe", "outlook.exe", "svchost.exe")
| summarize Connections = count() by DeviceName, RemoteIP, InitiatingProcessFileName
| where Connections > 50
| sort by Connections desc
Sentinel rule: Suspicious PowerShell command line
KQL Query Preview
Read-only — detection query only
DeviceProcessEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "pwsh.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe")
| where ProcessCommandLine has_any ("-enc", "-nop", "bypass", "hidden", "downloadstring", "invoke-expression", "iex", "frombase64", "new-object net.webclient")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName, InitiatingProcessFileName
| sort by Timestamp desc
Falcon API IOC Import Payload (4 indicators)
POST to /indicators/entities/iocs/v1 — Weak/benign indicators pre-filtered. Expiration set to 90 days.
Copy JSON
[
{
"type": "domain",
"value": "chalk-tempalte (npm package name)",
"source": "SCC Threat Intel",
"description": "Typosquatted npm package carrying Shai-Hulud infostealer variant",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-17T00:00:00Z"
},
{
"type": "domain",
"value": "@deadcode09284814/axios-util (npm package name)",
"source": "SCC Threat Intel",
"description": "Typosquatted npm package carrying Shai-Hulud infostealer variant",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-17T00:00:00Z"
},
{
"type": "domain",
"value": "axois-utils (npm package name)",
"source": "SCC Threat Intel",
"description": "Typosquatted npm package carrying Shai-Hulud infostealer variant",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-17T00:00:00Z"
},
{
"type": "domain",
"value": "color-style-utils (npm package name)",
"source": "SCC Threat Intel",
"description": "Typosquatted npm package carrying Shai-Hulud infostealer variant with DDoS botnet module",
"severity": "medium",
"action": "detect",
"platforms": [
"windows",
"mac",
"linux"
],
"applied_globally": true,
"expiration": "2026-08-17T00:00:00Z"
}
]
Route 53 DNS — Malicious Domain Resolution
Query Preview
Read-only — detection query only
fields @timestamp, qname, srcaddr, rcode
| filter qname in ["chalk-tempalte (npm package name)", "@deadcode09284814/axios-util (npm package name)", "axois-utils (npm package name)", "color-style-utils (npm package name)"]
| sort @timestamp desc
| limit 200
Compliance Framework Mappings
T1567.001
T1552.001
T1588.001
T1027
T1136.003
T1204.002
+5
MITRE ATT&CK Mapping
T1567.001
Exfiltration to Code Repository
exfiltration
T1552.001
Credentials In Files
credential-access
T1027
Obfuscated Files or Information
defense-evasion
T1498
Network Denial of Service
impact
T1567
Exfiltration Over Web Service
exfiltration
T1195.001
Compromise Software Dependencies and Development Tools
initial-access
Guidance Disclaimer
