Feed
HighPublished 16 May 2026Updated 19 May 20264 packages · 21 versions

Leaked Shai-Hulud + Phantom Bot copycats from npm user deadcode09284814

Summary

Three days after TeamPCP open-sourced the Shai-Hulud worm code (2026-05-13), npm publisher deadcode09284814 pushed four malicious packages on 2026-05-16: @deadcode09284814/axios-util, axois-utils, chalk-tempalte, and color-style-utils. chalk-tempalte is the first documented in-the-wild Shai-Hulud clone — a near-verbatim copy of the leaked source with a swapped C2. Tradecraft is well below TeamPCP standard; this is the first copycat wave riding the leak.

typosquatwormcredential-theftcrypto-wallet-draininfostealer
Detected by
Ox Security
Also known as
Phantom Bot · Shai-Hulud copycats
Ecosystems
npm
Packages tracked
4

What happened

Three days after TeamPCP open-sourced the Shai-Hulud worm on GitHub (2026-05-13), the first wave of in-the-wild copycats arrived. On 2026-05-16, a single npm publisher deadcode09284814 (phantomdeadcode@tutamail.com) pushed four malicious packages between 14:38 and 21:20 UTC: @deadcode09284814/axios-util (1.0.01.0.1), axois-utils (1.0.41.0.9), chalk-tempalte (1.0.141.0.20, skipping 1.0.18), and color-style-utils (1.0.31.0.9). Two are obvious typosquats of axios and chalk-template.

Each package carries a different payload but they share install scaffolding — preinstall, install, and postinstall hooks chained through postinstall.js, postinstall2.js, phantom.js, and distrube.js. Install scripts cannot be bypassed by lockfile-only installs because at least one hook fires from each lifecycle stage.

  • chalk-tempalte is the first documented in-the-wild Shai-Hulud clone on npm: a near-verbatim copy of the leaked source rewritten only to replace the C2 (87e0bbc636999b.lhr.life) and the embedded RSA private key. Credential-theft scope mirrors the original worm: npm tokens, GitHub PATs, AWS/GCP/Azure, Kubernetes service-account tokens, .env files.
  • axois-utils ships a Go-based DDoS botnet branded Phantom Bot that survives package deletion via Windows Startup-folder entry + scheduled task, with equivalent persistence on Linux. Capabilities include HTTP/TCP/UDP flooding and TCP-reset attacks.
  • @deadcode09284814/axios-util is a basic stealer exfiltrating SSH keys, env vars, and AWS/GCP/Azure credentials to 80.200.28.28:2222.
  • color-style-utils harvests IP/geolocation and crypto wallets to edcf8b03c84634.lhr.life.

Combined exposure was modest — ~2,678 downloads before disclosure by Ox Security on 2026-05-18 — but the case is significant as a tradecraft baseline: skill level, infrastructure, and operational discipline are nothing like TeamPCP. The Hacker News, BleepingComputer, GBHackers, The Register, and Dark Reading all carried the story the same day. npm has since removed all four packages. The campaign also highlights the rising abuse of lhr.life (localhost.run) reverse-tunnel subdomains as free, ephemeral C2 endpoints that bypass static block lists.

Affected packages (4)

  • npm@deadcode09284814/axios-util
    1.0.01.0.1
  • npmaxois-utils
    1.0.41.0.51.0.61.0.71.0.81.0.9
  • npmchalk-tempalte
    1.0.141.0.151.0.161.0.171.0.191.0.20
  • npmcolor-style-utils
    1.0.31.0.41.0.51.0.61.0.71.0.81.0.9

Impact

  • Shai-Hulud-style credential theft via chalk-tempalte (npm tokens, GitHub PATs, AWS/GCP/Azure, K8s, env files)
  • Cloud + SSH credential theft via @deadcode09284814/axios-util exfiltrated to 80.200.28.28:2222
  • Crypto wallet + IP geolocation harvest via color-style-utils to edcf8b03c84634.lhr.life
  • Persistent Go-based DDoS botnet (Phantom Bot) on Windows + Linux via axois-utils — HTTP/TCP/UDP/reset flood; survives package removal
  • install/preinstall/postinstall hooks fire even with package-lock-only installs

What to do

  1. 1Remove chalk-tempalte, axois-utils, color-style-utils, and @deadcode09284814/axios-util from every package.json / lockfile / cache. Likely typosquats — confirm you intended chalk-template (legit) and axios (legit), not the malicious variants
  2. 2On any machine that ran npm install against these packages: rotate npm/GitHub/CI tokens, AWS/GCP/Azure keys, SSH keys; assume crypto wallets and .env contents are compromised
  3. 3For axois-utils hosts specifically: hunt for Phantom Bot persistence — Windows Startup folder entries, scheduled tasks running unfamiliar Go binaries, Linux cron/systemd-user units; block egress to 80.200.28.28:2222, 87e0bbc636999b.lhr.life, edcf8b03c84634.lhr.life, and any *.lhr.life tunnel domain
  4. 4Add the lhr.life (localhost.run) reverse-tunnel domain to your egress block list — it is increasingly used as a free C2 hop
  5. 5Treat any new npm package by a publisher with no prior history and a high-entropy name (e.g. deadcode09284814, phantomdeadcode@tutamail.com) as malicious by default

References

npm-2026-05-16-shai-hulud-leak-copycats-deadcode