Find notable cyber news and cases, enriched with sources, timelines, and signals.

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

Four npm packages published by deadcode09284814 were found delivering information-stealing malware and Phantom Bot DDoS capability, putting installers at risk of credential theft, wallet theft, and target flooding. One package, chalk-tempalte, is a clone of the Shai-Hulud worm, while axois-utils delivers a Golang-based botnet. The remaining packages steal SSH keys, cloud credentials, and other sensitive data and send it to remote infrastructure.

Related Happenings

IronWorm npm supply-chain infection and self-propagation

Malware Activity
H score15 First: 04.06.2026 18:25 Last: 04.06.2026 18:25 Sources 1

About this happening: **IronWorm** is a **Rust** infostealer in a **npm supply-chain** activity that hides behind an **eBPF kernel rootkit**, communicates over **Tor**, and targets **86 environment var...

Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack

Incident
H score13 First: 01.06.2026 20:40 Last: 01.06.2026 20:40 Sources 1

About this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
H score47 First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Timeline

  1. 18.05.2026 11:57 2 articles · 1mo ago

    Researchers identify malicious npm packages from deadcode09284814

    Initial Disclosure

    Cybersecurity researchers identify four malicious npm packages on npm published by deadcode09284814, including chalk-tempalte, which clones the Shai-Hulud worm code, axois-utils, which delivers the Phantom Bot Golang-based DDoS botnet, and two other packages that steal SSH keys, cloud credentials, system information, IP address, and cryptocurrency wallet data before sending it to remote infrastructure.

    Show sources