Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
Summary
Hide ▲
Show ▼
Four npm packages published by deadcode09284814 were found delivering information-stealing malware and Phantom Bot DDoS capability, putting installers at risk of credential theft, wallet theft, and target flooding. One package, chalk-tempalte, is a clone of the Shai-Hulud worm, while axois-utils delivers a Golang-based botnet. The remaining packages steal SSH keys, cloud credentials, and other sensitive data and send it to remote infrastructure.
Related Happenings
IronWorm npm supply-chain infection and self-propagation
Malware Activity
H score15
First: 04.06.2026 18:25
Last: 04.06.2026 18:25
Sources 1
About this happening:
**IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
IronWorm npm supply-chain infection and self-propagation
Malware ActivityAbout this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
H score13
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Malware-Slop malicious npm file-theft campaign
Campaign
H score39
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
**Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Laravel-Lang PHP package supply-chain credential-stealing campaign
Campaign
H score47
First: 23.05.2026 12:51
Last: 23.05.2026 12:51
Sources 1
About this happening:
A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Laravel-Lang PHP package supply-chain credential-stealing campaign
CampaignAbout this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Timeline
-
18.05.2026 11:57 2 articles · 1mo ago
Researchers identify malicious npm packages from deadcode09284814
Initial DisclosureCybersecurity researchers identify four malicious npm packages on npm published by deadcode09284814, including chalk-tempalte, which clones the Shai-Hulud worm code, axois-utils, which delivers the Phantom Bot Golang-based DDoS botnet, and two other packages that steal SSH keys, cloud credentials, system information, IP address, and cryptocurrency wallet data before sending it to remote infrastructure.
Show sources
- Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware — thehackernews.com — 18.05.2026 11:57
- Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware — thehackernews.com — 18.05.2026 11:57