Leaked Shai-Hulud + Phantom Bot copycats from npm user deadcode09284814
Three days after TeamPCP open-sourced the Shai-Hulud worm code (2026-05-13), npm publisher deadcode09284814 pushed four malicious packages on 2026-05-16: @deadcode09284814/axios-util, axois-utils, chalk-tempalte, and color-style-utils. chalk-tempalte is the first documented in-the-wild Shai-Hulud clone — a near-verbatim copy of the leaked source with a swapped C2. Tradecraft is well below TeamPCP standard; this is the first copycat wave riding the leak.
- Detected by
- Ox Security
- Also known as
- Phantom Bot · Shai-Hulud copycats
- Ecosystems
- npm
- Packages tracked
- 4
What happened
Three days after TeamPCP open-sourced the Shai-Hulud worm on GitHub (2026-05-13), the first wave of in-the-wild copycats arrived. On 2026-05-16, a single npm publisher deadcode09284814 (phantomdeadcode@tutamail.com) pushed four malicious packages between 14:38 and 21:20 UTC: @deadcode09284814/axios-util (1.0.0–1.0.1), axois-utils (1.0.4–1.0.9), chalk-tempalte (1.0.14–1.0.20, skipping 1.0.18), and color-style-utils (1.0.3–1.0.9). Two are obvious typosquats of axios and chalk-template.
Each package carries a different payload but they share install scaffolding — preinstall, install, and postinstall hooks chained through postinstall.js, postinstall2.js, phantom.js, and distrube.js. Install scripts cannot be bypassed by lockfile-only installs because at least one hook fires from each lifecycle stage.
chalk-tempalteis the first documented in-the-wild Shai-Hulud clone on npm: a near-verbatim copy of the leaked source rewritten only to replace the C2 (87e0bbc636999b.lhr.life) and the embedded RSA private key. Credential-theft scope mirrors the original worm: npm tokens, GitHub PATs, AWS/GCP/Azure, Kubernetes service-account tokens,.envfiles.axois-utilsships a Go-based DDoS botnet brandedPhantom Botthat survives package deletion via Windows Startup-folder entry + scheduled task, with equivalent persistence on Linux. Capabilities include HTTP/TCP/UDP flooding and TCP-reset attacks.@deadcode09284814/axios-utilis a basic stealer exfiltrating SSH keys, env vars, and AWS/GCP/Azure credentials to80.200.28.28:2222.color-style-utilsharvests IP/geolocation and crypto wallets toedcf8b03c84634.lhr.life.
Combined exposure was modest — ~2,678 downloads before disclosure by Ox Security on 2026-05-18 — but the case is significant as a tradecraft baseline: skill level, infrastructure, and operational discipline are nothing like TeamPCP. The Hacker News, BleepingComputer, GBHackers, The Register, and Dark Reading all carried the story the same day. npm has since removed all four packages. The campaign also highlights the rising abuse of lhr.life (localhost.run) reverse-tunnel subdomains as free, ephemeral C2 endpoints that bypass static block lists.
Affected packages (4)
- npm
@deadcode09284814/axios-util1.0.01.0.1 - npm
axois-utils1.0.41.0.51.0.61.0.71.0.81.0.9 - npm
chalk-tempalte1.0.141.0.151.0.161.0.171.0.191.0.20 - npm
color-style-utils1.0.31.0.41.0.51.0.61.0.71.0.81.0.9
Impact
- Shai-Hulud-style credential theft via
chalk-tempalte(npm tokens, GitHub PATs, AWS/GCP/Azure, K8s, env files) - Cloud + SSH credential theft via
@deadcode09284814/axios-utilexfiltrated to 80.200.28.28:2222 - Crypto wallet + IP geolocation harvest via
color-style-utilsto edcf8b03c84634.lhr.life - Persistent Go-based DDoS botnet (Phantom Bot) on Windows + Linux via
axois-utils— HTTP/TCP/UDP/reset flood; survives package removal - install/preinstall/postinstall hooks fire even with package-lock-only installs
What to do
- 1Remove
chalk-tempalte,axois-utils,color-style-utils, and@deadcode09284814/axios-utilfrom every package.json / lockfile / cache. Likely typosquats — confirm you intendedchalk-template(legit) andaxios(legit), not the malicious variants - 2On any machine that ran
npm installagainst these packages: rotate npm/GitHub/CI tokens, AWS/GCP/Azure keys, SSH keys; assume crypto wallets and .env contents are compromised - 3For
axois-utilshosts specifically: hunt for Phantom Bot persistence — Windows Startup folder entries, scheduled tasks running unfamiliar Go binaries, Linux cron/systemd-user units; block egress to 80.200.28.28:2222,87e0bbc636999b.lhr.life,edcf8b03c84634.lhr.life, and any*.lhr.lifetunnel domain - 4Add the
lhr.life(localhost.run) reverse-tunnel domain to your egress block list — it is increasingly used as a free C2 hop - 5Treat any new npm package by a publisher with no prior history and a high-entropy name (e.g.
deadcode09284814,phantomdeadcode@tutamail.com) as malicious by default