Leaked Shai-Hulud Code Spawns npm Infostealer With DDoS Capabilities

The Shai-Hulud infostealer malware, whose source code leaked last week, has already been weaponized in a new npm supply chain campaign. Security researchers discovered four malicious packages on the npm registry that deploy credential stealers, cryptocurrency wallet drainers, and a DDoS botnet component capable of HTTP, TCP, and UDP flood attacks.

A threat actor using the handle "deadcode09284814" published the packages over the weekend of May 18, 2026. The combined download count reached 2,678 before npm removed them—enough to compromise developer environments across multiple organizations.

The Malicious Packages

According to BleepingComputer's analysis, the four packages used typosquatting tactics to impersonate legitimate utilities:

Package Name	Purpose
chalk-tempalte	Unobfuscated Shai-Hulud clone (infostealer)
@deadcode09284814/axios-util	Credential and cloud config stealer
axois-utils	Infostealer with DDoS botnet ("phantom bot")
color-style-utils	Cryptocurrency wallet and IP info stealer

The chalk-tempalte package is particularly notable—it contains a nearly direct copy of the leaked Shai-Hulud code with minimal obfuscation, suggesting the attacker prioritized speed over stealth.

The axois-utils package stands out for bundling DDoS capabilities alongside credential theft. Internal references to "phantom bot" suggest the attacker intended to build a botnet from compromised developer machines, capable of launching HTTP floods, TCP floods, UDP floods, and TCP reset attacks.

What Gets Stolen

Once installed, the malware targets:

• Developer credentials — GitHub tokens, npm registry credentials, cloud provider keys
• Cryptocurrency wallets — Wallet files and seed phrases
• Cloud configurations — AWS credentials, GCP service accounts, Azure config files
• Account information — Saved passwords, session tokens, API keys
• IP addresses — Likely for profiling victims and C2 communication

Exfiltration occurs via HTTPS to a command-and-control server at 87e0bbc636999[.]lhr[.]life.

Not the Original TeamPCP

The unobfuscated nature of the code and the relatively unsophisticated deployment suggest this is a copycat operation, not the work of TeamPCP—the group behind the original Shai-Hulud malware and the devastating TanStack supply chain compromise earlier this month.

This marks the first documented case of a Shai-Hulud clone deployed on npm. The speed of weaponization—less than a week from source code leak to active exploitation—demonstrates how quickly leaked malware code gets repurposed.

The pattern is familiar. When malware source code becomes public, either through deliberate leaks or security research, it typically spawns multiple copycat campaigns within days. We saw this with Mirai, with Conti, and now with Shai-Hulud.

Broader npm Security Context

This attack follows an aggressive wave of npm supply chain compromises in 2026. Just last week, the Nx Console VS Code extension was hijacked for 11 minutes—long enough to compromise developer credentials that later enabled the Grafana breach.

The npm ecosystem has seen a steady stream of similar attacks:

• node-ipc credential stealer affecting 10 million downloads
• TanStack compromise affecting 84 package versions
• Multiple typosquatting campaigns targeting popular utilities

Developers and security teams should review their dependency chains for the four packages listed above. Even brief installations—during CI builds or development setup—could have exposed credentials.

Indicators of Compromise

Malicious packages (removed from npm):

• chalk-tempalte
• @deadcode09284814/axios-util
• axois-utils
• color-style-utils

C2 Server:

• 87e0bbc636999[.]lhr[.]life

Recommended actions:

1. Check package-lock.json and node_modules for any of the listed packages
2. If found, rotate all developer credentials, API keys, and cloud tokens
3. Review CI/CD logs for unusual network connections during dependency installation
4. Audit cryptocurrency wallet access if development machines are also used for crypto operations

The emergence of DDoS capabilities in what started as an infostealer suggests the Shai-Hulud lineage may continue to evolve. Organizations should monitor for additional variants as more actors leverage the leaked source code.