Several researchers have reported four new malicious npm packages uploaded within a 24-hour window by a single threat actor publishing under the npm handle deadcode09284814. One of the four, chalk-tempalte, contains a direct, almost unmodified clone of the Shai-Hulud worm source code that TeamPCP open-sourced the previous week. The other three carry distinct payloads: two infostealers and a Go-based DDoS botnet that the source code calls Phantom Bot.
This is the first observable downstream effect of TeamPCP’s announced “supply chain attack contest” on BreachForums, which offered participants $1,000 in Monero to operate the worm against open-source packages and included a free copy of the source code. The technical fingerprint inside chalk-tempalte makes the copycat lineage clear. This is a TeamPCP tactic after open-sourcing the package. The dropped Shai-Hulud variant ships with no additional obfuscation, no string-table rotation, and no AES+RSA encryption layer that the TeamPCP-operated waves used in March and April 2026. The actor inserted a new command-and-control endpoint and a new attacker public key, recompiled, and published. That is the entirety of the modification.
The contest sits at the tail end of a successful upstream campaign. TeamPCP’s May 11, 2026 compromise of TanStack and the broader Mini Shai-Hulud wave hit named enterprise victims that have since publicly disclosed: OpenAI confirmed two employee devices in its corporate environment were impacted, with credential-focused exfiltration from a limited subset of internal source code repositories that contained iOS, macOS, and Windows code-signing certificates. Mistral AI confirmed one developer device was hit and a trojanized version of its npm and PyPI SDKs was published, with TeamPCP subsequently demanding $25,000 in a private extortion attempt for an alleged 5 GB internal source code leak. The Shai-Hulud variant that the deadcode actor cloned is the same worm logic that produced those outcomes.
The four copycat packages combined carry 2,678 weekly downloads at the time of OX Security’s disclosure. No CVE, GHSA, or OSV identifier has been assigned to any of them. Conventional CVE-driven vulnerability management programs have no visibility into this incident or the upstream campaign that produced it. The Phoenix Security analysis of the original Shai-Hulud worm lineage covering persistence, exfiltration mechanics, and IOCs is available at https://phoenix.security/sha1-hulud-shai-hulud-worm-analysis-persistence-iocs/.
https://phxintel.security/malware.html
TL;DR for Engineering Teams
What it is: Four malicious npm packages published by the same actor (deadcode09284814). One package, chalk-tempalte, is a near-verbatim clone of the open-sourced Shai-Hulud worm. The other three deliver distinct payloads: two infostealers and a Go DDoS bot. No CVE assigned.
Where it bites: Any environment that ran npm install against chalk-tempalte, @deadcode09284814/axios-util, axois-utils, or color-style-utils since the upload window. Typosquatting routes target Axios users (axois-utils vs. axios-utils) and chalk-template users (chalk-tempalte vs. chalk-template).
Why it matters: The Shai-Hulud source code is now public on BreachForums under a $1,000 Monero TeamPCP contest. The barrier to entry for any actor wanting to run a credential-stealing supply chain worm has dropped to fork-and-rename. chalk-tempalte proves the point: a different operator, a different C2, the same propagation logic. The upstream TeamPCP wave that produced this source code has named enterprise victims: OpenAI (two employee devices, internal source code repositories with iOS/macOS/Windows signing certificates exfiltrated) and Mistral AI (one developer device, trojanized SDKs published, $25,000 extortion attempt for alleged 5 GB source code leak). Two distinct lhr.life subdomains and a separate raw IP in the deadcode campaign confirm this copycat is operationally distinct from TeamPCP.
Patch status: All four packages remain published on npm at the time of OX Security’s writeup. None have been removed. There are no patched versions because none of these are legitimate packages, they are pure-malice uploads. The publisher account deadcode09284814 had not been suspended at disclosure.
Immediate action: Search lockfiles for the four package names across all repositories and CI runner caches. If any host installed one, rotate every credential reachable from that host, cloud, GitHub, npm, SSH, and crypto wallet material included. Search GitHub for repositories under your accounts with the description string “A Mini Sha1-Hulud has Appeared.” Block egress to *.lhr.life and the IP 80.200.28.28. For axois-utils, audit Windows Startup folder and scheduled tasks; on Linux, check for the Phantom Bot Go binary persisting under user-writable paths.
Protect yourself with the latest threat intelligence, get access to PHOENIX BLUE Today
Vulnerability Overview
| Field | Value |
|---|---|
| Vendor | None (pure malicious uploads) |
| Product | npm packages (typosquatting and namespace abuse) |
| Vulnerability Type | Supply chain compromise; credential theft; DDoS botnet delivery |
| CWE | CWE-506 (Embedded Malicious Code); CWE-829 (Inclusion of Functionality from Untrusted Control Sphere) |
| CVE | Not assigned |
| GHSA / OSV | Not assigned at time of writing |
| Attack Vector | Network (npm install execution) |
| Active Exploitation | Confirmed (packages live on npm; 2,678 combined weekly downloads at disclosure) |
| Attribution | npm user deadcode09284814. Distinct from TeamPCP based on tradecraft: no obfuscation, raw source clone, separate C2 infrastructure. OX Security assesses this as one of the first copycat operators to weaponize the TeamPCP open-source release distributed via the BreachForums supply chain attack contest. |
| Upstream campaign | TeamPCP Mini Shai-Hulud wave, May 11, 2026 onwards: TanStack, UiPath, Mistral AI, OpenSearch, Guardrails AI. Disclosed victims include OpenAI (two employee devices), Mistral AI (one developer device, $25k extortion). TeamPCP infrastructure: 83.142.209.0/24 subnet (provisioned November 2025, dormant aging). |
| Campaign branding | “A Mini Sha1-Hulud has Appeared” (note: digit 1, not i; distinct from the April 2026 SAP CAP variant) |
| Disclosure date | May 17, 2026 (OX Security) |
Background: Why This Was Always Going to Happen
This was a question of when, not if. Phoenix Security has covered the Shai-Hulud lineage across multiple campaigns: the original September 2025 wave, the November 2025 reactivation, and the April 2026 Mini Shai-Hulud SAP CAP and mbt incident. The full technical analysis of the worm itself is at https://phoenix.security/sha1-hulud-shai-hulud-worm-analysis-persistence-iocs/. The TeamPCP operator released the worm source code on BreachForums in May 2026, branded as part of a supply chain attack competition, and explicitly invited other actors to fork, modify, and operate it.
The four packages from deadcode09284814 are the first copycat campaign anyone has documented that visibly took the bait. The tell is the absence of obfuscation. TeamPCP-operated waves shipped the credential stealer behind two heavy layers: an obfuscator.io string-table rotation with tens of thousands of entries and a custom cipher layer that StepSecurity tracked as ctf-scramble-v2. The chalk-tempalte clone ships the same logic with neither layer present. The decoded payload that researchers had to reverse engineer to read in the April wave is now visible in plain JavaScript on the npm registry.
A copycat actor with no obfuscation budget but a working clone is a different threat model from a sophisticated operator running OIDC abuse and Sigstore provenance spoofing. The copycat will be louder, easier to detect, faster to triage. The flip side is the volume problem: once the barrier to entry drops to “fork and rename,” the rate at which these packages appear climbs. OX Security’s framing of this as “just the first phase of an upcoming wave” is the right call.
Upstream Wave: TanStack, OpenAI, Mistral AI, and the BreachForums Contest
The contest that produced the deadcode09284814 copycat sits on top of a TeamPCP campaign that, at time of writing, has more public victim disclosures than any prior supply chain wave. Three pieces of this matter for defenders triaging the copycat traffic:
The TanStack Entry Point
On May 11, 2026 UTC, the TanStack project was compromised as part of the broader Mini Shai-Hulud campaign. TanStack’s own statement is precise about the vector: no maintainer was phished, no password was leaked, and no maintainer token was stolen from an account. The TanStack team described the mechanism as a path where the project’s CI pipeline stole its own publish token, at the moment the token was created, via a cache that everyone in the publishing chain implicitly trusted. The compromise expanded to UiPath, Mistral AI, OpenSearch, and Guardrails AI through transitive publish access. This is the wave whose source code TeamPCP later released on BreachForums.
OpenAI: Two Employee Devices, Code-Signing Certificate Rotation
OpenAI disclosed on May 18, 2026 that two employee devices in its corporate environment were affected by the Mini Shai-Hulud TanStack attack. Activity consistent with the malware’s documented behavior, including unauthorized access and credential-focused exfiltration, was observed against a limited subset of internal source code repositories to which the two impacted employees had access. OpenAI states only limited credential material was successfully exfiltrated and that no user data, production systems, or intellectual property were compromised.
The operational consequence is significant for downstream users. The impacted repositories included signing certificates for iOS, macOS, and Windows products. OpenAI is rotating these certificates and revoking the previous certificate on June 12, 2026. Until that date, macOS users of ChatGPT Desktop, Codex App, Codex CLI, and Atlas must update to the latest versions. After June 12, macOS built-in protections will block new downloads and first-time launches of apps signed with the previous certificate. Last-pre-rotation builds are ChatGPT Desktop 1.2026.125, Codex App 26.506.31421, Codex CLI 0.130.0, and Atlas 1.2026.119.1.
OpenAI also notes that this is the second time in two months it has rotated macOS code-signing certificates. The previous rotation followed the March 31, 2026 Axios npm compromise attributed to UNC1069, which OpenAI tied to a GitHub Actions workflow that pulled the malicious Axios library during the brief window the package was live. That earlier incident triggered OpenAI to begin rolling out package manager configurations with minimumReleaseAge and additional provenance validation; the TanStack hit landed during the phased rollout, and the two affected employee devices did not yet have the new configuration.
Mistral AI: One Developer Device, $25,000 Extortion Demand
Mistral AI confirmed it was hit by the same TanStack-rooted compromise, leading to trojanized versions of its npm and PyPI SDKs being published. Mistral states one developer device was affected and finds no evidence of broader infrastructure breach. TeamPCP has separately claimed on BreachForums that it holds approximately 5 GB of internal Mistral AI source code and is offering it for $25,000 as a private buyout, with a threat to release it publicly within a week if no buyer is found. Mistral has not corroborated the source code claim.
The Contest That Spawned This Copycat Wave
After establishing the TanStack foothold and the OpenAI/Mistral disclosures, TeamPCP announced a “supply chain attack contest” on BreachForums in partnership with the Breached cybercrime community. The terms, as reported, are that participants receive a free working copy of the Shai-Hulud worm source code and $1,000 in Monero per successful compromise of an open-source package. The deadcode09284814 four-package wave is the first publicly documented entry in that contest. The lack of obfuscation in chalk-tempalte is consistent with the description that participants are working from the released source rather than building independent tooling.
TeamPCP Infrastructure Aging
Hunt.io’s analysis of TeamPCP’s C2 infrastructure shows the 83.142.209.0/24 subnet was provisioned and left dormant from November 2025 onwards. Three IPs from that block have served as C2 nodes across separate waves: 83.142.209.194 (TanStack / FIRESCALE, May 2026), 83.142.209.203 (Telnyx, March 2026), and 83.142.209.11 (Checkmarx KICS, March 2026). The first two IPs were first observed with SSH active on November 15 and November 21, 2025, roughly four months before the earliest tracked TeamPCP wave went public. Hunt.io’s assessment is that the block was aged deliberately to accumulate a clean reputation before activation. The same subnet appears across every TeamPCP wave tracked through May 2026, including the LiteLLM PyPI compromise, the Trivy scanner hijack via GitHub Actions, and the Jenkins AST Plugin backdoor.
FIRESCALE: GitHub Commit Dead-Drop Fallback
The Linux-side payload TeamPCP delivered via the trojanized guardrails-ai and mistralai PyPI packages includes a fallback C2 mechanism Hunt.io named FIRESCALE. When the primary C2 (83.142.209.194) is unreachable, the malware searches all public GitHub commit messages worldwide for a signed alternative C2 URL, verified against an embedded 4096-bit RSA key. Exfiltration follows three paths in sequence: primary C2, FIRESCALE dead-drop redirect, and the victim’s own GitHub repository. This three-tier resilience belongs to the TeamPCP-operated PyPI variant, not to the npm Shai-Hulud source that was open-sourced and cloned by deadcode09284814. The npm copycat retains the C2 path and the GitHub-repo exfiltration path but does not implement FIRESCALE. Defenders blocking only the primary C2 IP of the upstream TeamPCP variant should plan for the FIRESCALE fallback. Defenders responding to the deadcode09284814 copycats do not need to plan for it.
Geofenced Destructive Behavior
The TeamPCP modular Python toolkit carries a 1-in-6 probability gate that triggers on hosts geolocated to Israel or Iran. When the gate triggers, the implant plays audio at maximum volume and then deletes all accessible files. Russian-locale machines are exempted from execution entirely. The destructive component is consistent with the earlier “kamikaze” wiper TeamPCP deployed against Iran-based Kubernetes clusters in connection with the CanisterWorm self-propagating worm campaign. The behavior signals a more deliberately motivated operation than purely financial supply chain criminality.
AWS GovCloud Coverage
Hunt.io’s analysis of the credential-harvesting module shows the AWS collection list covers all 19 availability zones, including us-gov-east-1 and us-gov-west-1 GovCloud regions restricted to U.S. government agencies and defense contractors. The presence of those zones in the target list indicates the operator anticipates federal-adjacent victims and has tooling ready to handle the credential format differences.
A campaign with the operational reach to hit OpenAI, a target list that includes AWS GovCloud, and a destructive payload aimed at specific countries has just been open-sourced for $1,000 a hit. The copycat wave is what that combination produces.
Technical Anatomy
https://phxintel.security/malware.html
chalk-tempalte: Shai-Hulud Source Clone
The chalk-tempalte package contains an almost verbatim copy of the TeamPCP-leaked Shai-Hulud source. OX Security’s side-by-side comparison shows the same credential harvesting logic, the same GitHub repository creation routine for exfiltration with “A Mini Sha1-Hulud has Appeared” as the repository description, and the same overall propagation skeleton. The two changes the operator made:
- C2 endpoint replaced: 87e0bbc636999b.lhr.life substituted for the TeamPCP C2.
- Attacker public key embedded: a different RSA public key used for the encrypted exfiltration channel.
lhr.life is the public domain for localhost.run, a free SSH-tunnel-as-a-service that exposes a local port to the internet via a randomized subdomain. The operator is running C2 through a free tunneling service rather than registering a domain. Two of the four packages (chalk-tempalte and color-style-utils) use lhr.life subdomains. The third infostealer (@deadcode09284814/axios-util) skips the tunneling service and uses a raw IP on port 2222.
Stolen credentials are uploaded to a freshly created GitHub repository under the victim’s account using the victim’s own GitHub token, exactly as the original Shai-Hulud worm did. The repository description carries the campaign branding “A Mini Sha1-Hulud has Appeared.” Note the digit 1 rather than the letter i, which distinguishes this variant from the SAP CAP variant of April 2026.
@deadcode09284814/axios-util: Direct Infostealer
The most straightforward of the four. The payload collects SSH keys, environment variables, and cloud credentials for AWS, GCP, and Azure, then posts the harvested material to 80.200.28.28:2222. No tunneling service, no GitHub repository exfiltration, no encrypted channel. This is the operator’s cheapest implant: a flat HTTP POST to a hardcoded IP.
axois-utils: Phantom Bot DDoS Implant
This package is the most distinct of the four. It carries a Go binary the source code calls “Phantom Bot.” The Go bot is dropped to disk and registered for persistence on both Windows and Linux. On Windows, the bot writes to the user Startup folder and creates a scheduled task. On Linux, the source includes a respawn routine that reinstalls the implant if the npm package itself is uninstalled. OX Security specifically called out this persistence behavior: npm uninstall does not get rid of it.
The bot implements four flood primitives: HTTP request flood, TCP SYN flood, UDP flood, and TCP Reset flood. It connects to a C2 at b94b6bcfa27554.lhr.life, a separate lhr.life subdomain from the chalk-tempalte C2. Infected hosts are pooled into a DDoS-for-hire fleet targeting external websites.
This is the only package in the set that is not credential-focused. Its purpose is to convert developer and CI machines into a botnet. The package name targets Axios users via typosquatting: axois-utils differs from a legitimate-looking axios-utils by a one-letter transposition.
color-style-utils: Plain-Text Infostealer
The simplest of the three infostealers. No obfuscation. It collects the current public IP and geolocation via a public IP-info API, sweeps the standard cloud and SSH credential set, and then enumerates a list of common crypto wallet paths (wallet.dat, Ethereum keystores, Solana keypairs, hardware wallet config). Exfiltration is to edcf8b03c84634.lhr.life. Persistence is not implemented in this variant.
What These Four Packages Have In Common
Despite shipping four different payloads from the same publisher, the four packages share these operational fingerprints:
| Marker | Value |
|---|---|
| npm publisher | deadcode09284814 |
| Tunneling infrastructure (3 of 4) | *.lhr.life (free SSH-tunnel-as-a-service) |
| Campaign branding (in chalk-tempalte only) | “A Mini Sha1-Hulud has Appeared” |
| Typosquatting strategy | Axios variants, chalk-template variants, generic utility names |
| Source code style | Unobfuscated, readable JavaScript (Go for the bot) |
| Lineage | Mini Shai-Hulud / Sha1-Hulud copycat wave, TeamPCP open-source release |
The shared publisher account is the best place to start a hunt for other packages from the same actor. Anything historically or currently published under npmjs.com/~deadcode09284814 should be treated as malicious by default until proven otherwise.
https://phxintel.security/malware.html
Phoenix VulnDB Adjacent Signal: nicegui PyPI 3.12.0
While the four deadcode09284814 npm packages are the visible part of the copycat wave, Phoenix Security’s behavioral package scanner (PHX-Neural) has independently flagged nicegui version 3.12.0 on PyPI with a 100/100 PHX-Neural score and 164 signal hits across 85 detection rules. The package carries 174,659 weekly downloads. Phoenix’s verdict is currently UNKNOWN, status Analysis Under Review, with severity pending consensus synthesis. The behavioral fingerprint is consistent with the broader Mini Shai-Hulud TTP set, and is included here as adjacent supply chain signal rather than as confirmed attribution.
https://phxintel.security/malware.html
The name overlap is the first thing to flag. The OpenSourceMalware.com disclosure on May 19, 2026 of the UNC1069 Axios-secondary campaign included an nicegui npm package (nicegui@0.1.4) as one of three typosquats from that actor cluster, alongside redeem-onchain-sdk and period-newline, all sharing the OrDeR_7077 XOR key from the original March 2026 Axios compromise. The PyPI nicegui artifact occupies a different ecosystem and version space, and Phoenix has not yet asserted a connection between the two. Defenders should triage both as adjacent supply chain signal pending vendor and registry decisions.
PHX-Neural Kill Chain
The full ATT&CK phase coverage produced by behavioral analysis alone:
| ATT&CK phase | Signal | Severity | Occurrences | Behavior |
|---|---|---|---|---|
| Resource Development | RD-003 | S4 | 5 | AI-generated malware indicators (emoji and structured section headers in scripts) |
| Execution | CS-008 | S5 | 3 | Dynamic module/package import |
| Execution | PY-002 | S7 | 1 | __init__.py import-time code execution |
| Execution | CS-007 | S7 | 1 | Shell command execution |
| Persistence | PS-001 | S10 | 3 | launchctl / systemd persistence |
| Persistence | PS-002 | S7 | 2 | Startup file modification |
| Defense Evasion | CS-009 | S2 | 23 | Error suppression (except: pass, >/dev/null) |
| Defense Evasion | CS-003 | S6 | 4 | Encoding-based obfuscation (base64/atob/rot13) |
| Defense Evasion | CS-004 | S7 | 2 | Computational obfuscation (charcode construction) |
| Anti-Forensics | AF-001 | S7 | 1 | File deletion after exfiltration cleanup |
| Credential Access | RS-001 | S8 | 16 | Credential harvesting (env vars and tokens) |
| Credential Access | RS-004 | S9 | 5 | Crypto wallet harvesting |
| Command & Control | NS-012 | S5 | 27 | DGA / dynamic C2 resolution pattern |
| Command & Control | NS-008 | S6 | 61 | Unencrypted HTTP to external host |
| Command & Control | NS-001 | S7 | 4 | Hardcoded public IP address |
| Command & Control | NS-002 | S8 | 4 | Payload download (curl/wget/urlretrieve) |
| Exfiltration | NS-004 | S10 | 1 | HTTP POST exfiltration of environment variables |
| Impact | NS-009 | S10 | 1 | Mining pool connection |
ATT&CK phase intensity totals (signal count weighted by severity): Resource Development 5, Execution 5, Persistence 5, Defense Evasion 30, Credential Access 21, Collection 5, Command & Control 96, Exfiltration 62, Impact 1. Initial Access and Discovery returned zero, consistent with a package whose execution is triggered by Python import rather than by network access.
What the Signals Mean Operationally
The signal counts in the table above map onto the rest of this article in concrete ways. PY-002 (__init__.py import-time execution) is the PyPI equivalent of the npm preinstall hook the TeamPCP and deadcode npm packages rely on; the implant runs the moment something imports the package, no special API call required. PS-001 (launchctl / systemd persistence) at three occurrences matches the persistence behavior OX Security flagged in axois-utils Phantom Bot, the kind that survives uninstall. RS-004 (crypto wallet harvesting) at five occurrences aligns with what color-style-utils does in the npm wave.
Two signals stand out as different from the deadcode set. NS-009 (mining pool connection) is a payload class the deadcode npm packages do not carry. Copycats commonly extend a cloned worm source with their own monetization, and crypto mining is the cheapest add-on. NS-012 (DGA / dynamic C2 resolution) at 27 hits suggests a more resilient C2 path than the static lhr.life subdomains the deadcode set uses, which raises the operational sophistication a notch above simple fork-and-publish.
RD-003 (AI-generated malware indicators) at five hits is the one worth dwelling on. The signal picks up emoji and structured section headers that LLM-generated code consistently produces. Supply chain campaigns increasingly use AI assistants for payload generation, and the fingerprint is visible to static analysis when defenders look for it. The same signal would, somewhat awkwardly, fire on a meaningful share of legitimate developer code at this point. The interesting question is not whether AI-style markup appears, but whether it appears in code that also harvests credentials and connects to mining pools.
Zero CVEs, 100/100 PHX-Neural
The nicegui PyPI package version 3.12.0 has zero CVEs associated. No advisory, no GHSA, no OSV entry. Conventional vulnerability scanners produce a clean result. Phoenix’s PHX-Neural produces the 100/100 score entirely from behavioral analysis of the package contents, before any CVE record exists and before analyst-level attribution is complete. This is the zero-CVE gap operating in real time across two ecosystems simultaneously, the npm deadcode09284814 wave on one side and the PyPI nicegui 3.12.0 signal on the other. A defender running only CVE-based supply chain controls sees neither.
For defenders: search lockfiles and dependency manifests for nicegui==3.12.0 and any version of nicegui you cannot verify against a known-clean baseline. If installed, treat as the same triage class as the deadcode npm packages until Phoenix’s consensus verdict completes. The package’s Phoenix VulnDB record is the live source for verdict updates.
Affected Versions
| Package | Vulnerable Versions | Fixed Version | Weekly Downloads | Notes |
|---|---|---|---|---|
| chalk-tempalte (npm) | All published versions | None (delete only) | 825 | Shai-Hulud clone; typosquats chalk-template |
| @deadcode09284814/axios-util (npm) | All published versions | None (delete only) | 284 | Direct infostealer to 80.200.28.28:2222 |
| axois-utils (npm) | All published versions | None (delete only) | 963 | Phantom Bot DDoS persistence; typosquats Axios |
| color-style-utils (npm) | All published versions | None (delete only) | 934 | Infostealer; crypto wallet targeting |
| nicegui (PyPI) | 3.12.0 | Phoenix verdict pending | 174,659 | Adjacent signal; PHX-Neural 100/100, verdict UNKNOWN, full Mini Shai-Hulud-aligned TTP set plus mining pool payload. Treat as suspect until consensus completes. |
Combined weekly downloads for the four confirmed-malicious npm packages: 2,678. There is no fixed version for any of the deadcode npm artifacts because they are not legitimate packages with a compromised release. Every published version is malicious. Removal is the only correct action. The PyPI nicegui 3.12.0 row is included as adjacent signal under Phoenix VulnDB review and should be treated as suspect until Phoenix’s analyst-level verdict completes.
Exposure Analysis
| Environment | Risk Level | Reason |
|---|---|---|
| Developer workstations | Critical | All four payloads harvest local credentials. Crypto wallets, SSH keys, cloud configs, and AI tool credentials are in scope. |
| CI/CD pipelines | Critical | A CI runner that resolved any of the four packages exposes runner-scoped tokens, cloud federation, and any secret materialized into the environment. |
| Internet-exposed services | Medium | Direct compromise of exposed services is unlikely (no production service depends on these packages by name), but axois-utils converts the host into a DDoS botnet member, which is itself an outbound problem. |
| Container build environments | High | Multi-stage builds that ran npm install against the malicious version exfiltrate build-time credentials and may bake the implant into image layers. |
The pure-malice nature of these uploads bounds the exposure scope by who installed them, not by who depends on legitimate-version-X. Conventional dependency scanners that match on CVE will miss this entirely. Scanners that check published npm packages against a curated malicious-package feed (Phoenix Security, Socket, Aikido, OX Security, Snyk Advisor) will catch it.
Real-World Impact
Scale at Disclosure
The combined 2,678 weekly downloads across four packages is modest in absolute terms, two orders of magnitude smaller than the April 2026 SAP CAP and mbt wave. The number is also a floor, not a ceiling. The disclosure window is short, the packages were still live at the time of OX Security’s writeup, and the publisher account had not been suspended.
What An Operator Gains Per Install
A successful deadcode09284814 install produces, depending on which package landed:
- A list of every secret the local user can read.
- A copy of every SSH key and cloud credential file in the standard locations.
- The npm tokens and GitHub PATs of the developer or CI service account.
- A fresh GitHub repository under the victim’s name containing the harvested material, encrypted with the attacker’s public key (chalk-tempalte only).
- A Phantom Bot install conscripting the host into a DDoS-for-hire pool (axois-utils only).
- Crypto wallet keystore files where present (color-style-utils).
For the chalk-tempalte clone specifically, the worm propagation logic in the source code is intact. If a victim’s harvested npm token has publish scope on any package, the cloned worm will attempt to self-propagate by publishing infected versions of those packages. Whether that propagation completes in practice depends on how many of the victims had usable npm tokens with publish scope. There has been no public reporting yet of secondary packages compromised through this chain. That gap should not be read as evidence that propagation did not occur. The disclosure is fresh.
Trend Line, Not Anomaly
Each Shai-Hulud variant lowers the difficulty for the next operator. The September 2025 wave needed research effort. The TeamPCP release in May 2026 dropped working source on a forum with $1,000 in Monero attached. The deadcode09284814 set is what falls out the other end. Meanwhile, two-month-old concurrent campaigns from unrelated actors keep running in parallel: the UNC1069 Axios-secondary cluster that Polymarket disclosed on May 19, 2026 has been live on redeem-onchain-sdk, nicegui, and period-newline since April with no public discovery for almost eight weeks, using the same OrDeR_7077 XOR key as the original March 2026 Axios compromise. Different actor lineage, same supply chain class of abuse, same registries.
What success looks like at the upstream end is what OpenAI and Mistral AI disclosed last week. Source code repositories with platform code-signing certificates exfiltrated. Vendor extortion attempts in the high five figures. A forced code-signing rotation cycle pushed onto the wider downstream user base. None of that requires a CVE to exist. The cost of running a credential-stealing supply chain attack has fallen to “fork the repo, change a public key, publish under a new npm account.” A defender whose primary supply chain control is a CVE feed is blind to the entire class.
Detection Guidance
Lockfile and Manifest Indicators
Search across all repositories and CI runner caches for the npm artifacts:
grep -rE “chalk-tempalte|axois-utils|color-style-utils|@deadcode09284814/axios-util” \
–include=”package.json” \
–include=”package-lock.json” \
–include=”yarn.lock” \
–include=”pnpm-lock.yaml” \
–include=”npm-shrinkwrap.json” \
/path/to/repos
For the adjacent PyPI signal:
grep -rE “^nicegui(==|>=|~=| )” \
–include=”requirements*.txt” \
–include=”pyproject.toml” \
–include=”Pipfile*” \
–include=”poetry.lock” \
–include=”uv.lock” \
/path/to/repos
Lockfile presence is sufficient evidence to trigger the incident response track for the host that ran the install. For nicegui specifically, isolate the host and wait for Phoenix’s verdict before deciding whether to rotate credentials.
Network Indicators
| Indicator | Type | Notes |
|---|---|---|
| 87e0bbc636999b.lhr.life | C2 domain | chalk-tempalte C2 |
| b94b6bcfa27554.lhr.life | C2 domain | axois-utils Phantom Bot C2 |
| edcf8b03c84634.lhr.life | C2 domain | color-style-utils C2 |
| 80.200.28.28:2222 | IP and port | @deadcode09284814/axios-util C2 |
| *.lhr.life | Domain pattern | localhost.run tunneling; broad block recommended for production and CI egress |
| 83.142.209.194 | IP (upstream) | TeamPCP TanStack / FIRESCALE primary C2 (May 2026 wave) |
| 83.142.209.203 | IP (upstream) | TeamPCP Telnyx campaign C2 (March 2026) |
| 83.142.209.11 | IP (upstream) | TeamPCP Checkmarx KICS C2 (March 2026) |
| 83.142.209.0/24 | Subnet (upstream) | TeamPCP aged infrastructure block (SSH active since November 2025); broad block recommended |
| Outbound to api.github.com from CI runner with anomalous commit-search query patterns | Behavioral | FIRESCALE dead-drop fallback signal (TeamPCP PyPI variant; not present in deadcode09284814 clone) |
DNS-layer blocking of *.lhr.life across CI runners and developer egress catches three of the four copycat C2 channels at once and has limited legitimate-traffic cost. The free localhost.run service is a developer convenience that has no business running outbound from production or CI. Blocking the full 83.142.209.0/24 subnet at the firewall layer covers the upstream TeamPCP infrastructure across every wave Hunt.io tracked through May 2026.
Host Indicators
For Windows hosts that may have run axois-utils:
- New entries in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup.
- New scheduled tasks created by a non-system user pointing at a Go binary in a user-writable path.
- Persistent outbound connections to *.lhr.life from a non-browser process.
For Linux hosts:
- A Go-compiled binary in /tmp, /var/tmp, or under $HOME that was not present before the relevant npm install.
- A systemd user unit, cron entry, or .bashrc modification that respawns the binary.
- Outbound TCP/UDP traffic patterns consistent with HTTP, TCP, UDP, or Reset flood activity from non-server hosts.
GitHub Indicators
Across all GitHub accounts associated with the organization and developer machines:
- Repositories with the description string “A Mini Sha1-Hulud has Appeared” (digit 1, not letter i).
- New public repositories created since May 16, 2026, with no recognizable code content and an encrypted blob in the repository root.
- Commits authored by addresses matching campaign patterns from the Shai-Hulud lineage, including claude@users.noreply.github.com.
Scanner Guidance
- Phoenix Security supply chain scanners maintain a feed of malicious npm and PyPI package versions; the four deadcode09284814 packages are added at disclosure. The PyPI nicegui 3.12.0 record is live in Phoenix VulnDB with a PHX-Neural score of 100/100 and verdict pending analyst consensus.
- Phoenix PHX-Neural produces behavioral signal independent of CVE assignment. The nicegui record is the clearest illustration in this wave: zero CVEs associated, 164 signals hit across 85 detection rules, full ATT&CK phase coverage from credential harvesting through mining pool connection.
- The Phoenix Security Shai-Hulud V2 npm scanner at github.com/Security-Phoenix-demo/Shai-Hulud-Sha1-Hulud-V2-npm-compromise-scanner covers the chalk-tempalte clone via the shared GitHub repository creation indicator and the campaign description string match.
- Socket, Aikido, and OX Security feeds carry the four deadcode npm packages.
- GitHub Dependabot does not flag any of these because no advisory has been assigned. SBOM-driven scanners that match only on CVE will miss the incident entirely.
Remediation Guidance
Immediate Actions
- Sweep lockfiles for all four package names across every repository, CI cache, and developer machine. Treat presence as evidence that the host is compromised.
- Treat each affected host as fully compromised. Rotate every credential reachable from it: GitHub PATs, npm tokens, cloud credentials (AWS, Azure, GCP), SSH keys, password manager session tokens, and any crypto wallet material.
- Uninstall the malicious package and then verify cleanup. npm uninstall does not remove host-level Phantom Bot persistence for axois-utils. For Windows hosts, audit Startup folder and scheduled tasks. For Linux hosts, audit systemd user units, cron, and shell rc files.
- Delete attacker-created GitHub repositories under owned accounts that match the “A Mini Sha1-Hulud has Appeared” description.
- Block egress to *.lhr.life and 80.200.28.28 at the DNS and firewall layer for CI runners and production environments.
- Revoke and reissue the GitHub PAT used by any developer or CI account that may have been on a host running chalk-tempalte, even when no encrypted-blob repository has been found yet.
- Find and delete any malicious configuration introduced into IDEs and coding agents (Claude Code, Cursor, VS Code workspace tasks). OX Security flagged this as a required cleanup step.
Temporary Mitigations
If sweep and rotation cannot complete within 24 hours:
- Set npm config set ignore-scripts true on all CI runners. This blocks the preinstall hook execution chain that all four packages rely on for payload execution at install time.
- Configure minimumReleaseAge in the package manager (npm 11+, pnpm) to delay resolution of newly published versions for at least 24 to 72 hours. OpenAI cited this as one of the controls it had begun deploying after the March Axios incident, with the caveat that the two TanStack-affected employee devices had not yet received the new configuration. The delay window catches malicious uploads that are typically removed within hours of disclosure.
- Pin direct dependencies to known-good versions and block transitive resolution above the pinned range.
- Restrict outbound CI egress to a known allowlist that excludes lhr.life and similar free tunneling services.
- Block the 83.142.209.0/24 subnet at the firewall for hosts that may also be exposed to the upstream TeamPCP variant via trojanized PyPI packages (guardrails-ai, mistralai).
Validation Steps
- Confirm the four package names are absent from every lockfile in scope.
- Confirm no *.lhr.life DNS queries are present in the last 14 days of CI runner DNS logs.
- Confirm no new GitHub repositories under owned accounts carry the campaign branding string.
- For axois-utils-exposed hosts, confirm no Go binary persists on disk and no scheduled task or Startup entry remains.
- Confirm all credentials rotated in step 2 of immediate actions have been replaced and the prior tokens revoked at the issuing service.
Phoenix Security Recommendations
Phoenix Security’s coverage of these copycat campaigns has been consistent: traditional CVE-driven vulnerability management produces zero findings on packages like these. There is no CVE to scan for and no advisory to map to a dependency record. The control surface that actually catches them sits at a different layer.
The PyPI nicegui 3.12.0 record described above shows what behavioral scanning actually buys you. Zero CVEs. 164 signals across 85 detection rules. PHX-Neural score 100/100. Full ATT&CK phase coverage from behavioral analysis of package contents alone, produced before any external advisory exists. Customers running PHX-Neural-scored gates in CI can block the install at the registry-resolution stage rather than waiting for an analyst feed update.
The malicious-package feed correlation that Phoenix Security runs against lockfile contents picks up the four deadcode09284814 packages from the day of OX Security’s disclosure. Output is a single deduplicated finding per affected repository, mapped to the responsible team, so the work of removing the package and starting rotations lands on a named owner rather than a generic ticket queue.
Reachability analysis narrows the blast radius question from “did we install this anywhere” to “did anything we actually run reach the install-time payload.” For preinstall-hook npm malware and __init__.py-import PyPI malware, the answer collapses to a binary “did npm install or pip install run on this host” question, which Phoenix Security answers directly through CI integration.
The Shai-Hulud lineage is tracked as a multi-wave campaign inside Phoenix’s remediation campaigns workflow. The deadcode09284814 set is the next tracked wave alongside September 2025, November 2025, April 2026 SAP CAP, and the TeamPCP-operated March-April 2026 series. Customers running campaign-mode remediation get the new IOCs and package list pushed into the existing Shai-Hulud campaign rather than as a separate one-off. The PyPI nicegui record is queued for inclusion once Phoenix’s consensus verdict is confirmed.
Attack surface management closes the loop on outbound signal. Hosts running axois-utils become DDoS botnet nodes. Hosts running nicegui 3.12.0, if Phoenix’s verdict goes to MALICIOUS, may be connecting to mining pools. Phoenix Security’s attack surface inventory flags both behaviors as high-priority egress signals, independent of whether the offending package is still installed.
The argument that has held across every Shai-Hulud wave applies again here. The cheap layered controls catch this class. The four packages from deadcode09284814 would be blocked by ignore-scripts=true, by an egress rule that denies *.lhr.life on CI runners, and by a lockfile sweep against a curated malicious-package feed. The PyPI nicegui 3.12.0 signal is caught by behavioral package scoring before any advisory exists. None of those controls require frontier-model spend or a CVE. They are the floor under which the more expensive tools earn their cost.
References
- OX Security, “New Actors Deploy Shai-Hulud Clones: TeamPCP Copycats Are Here,” Moshe Siman Tov Bustan, May 17, 2026. https://www.ox.security/blog/new-actors-deploy-shai-hulud-clones-teampcp-copycats-are-here/
- OpenAI, “Our response to the TanStack npm supply chain attack,” May 18, 2026.
- The Hacker News, “OpenAI Impacted by Mini Shai-Hulud Supply Chain Attack on TanStack npm,” May 2026.
- The Hacker News, “TanStack Supply Chain Attack Hits Two Hundred Packages,” May 2026. https://thehackernews.com/2026/05/tanstack-supply-chain-attack-hits-two.html
- Phoenix Security, “Sha1-Hulud / Shai-Hulud Worm Analysis: Persistence and IOCs.” https://phoenix.security/sha1-hulud-shai-hulud-worm-analysis-persistence-iocs/
- Phoenix Security, “Mini Shai-Hulud: SAP CAP and mbt npm Packages Backdoored,” April 30, 2026.
- Hunt.io, infrastructure analysis of TeamPCP 83.142.209.0/24 subnet and the FIRESCALE GitHub commit dead-drop mechanism, Esteban Borges, May 2026.
- TanStack public statement on the May 11, 2026 CI cache token theft vector, May 2026.
- Mistral AI advisory: trojanized npm and PyPI SDK release, supply chain attack via TanStack compromise, May 2026.
- OpenSourceMalware.com, “Axios attacker strikes again with three NPM packages that have been hiding in plain sight for two months,” 6mile, May 19, 2026. (Concurrent supply chain campaign attributed to the UNC1069 cluster behind the March 2026 Axios compromise; separate actor lineage from TeamPCP.)
- Phoenix Security VulnDB, PHX-Neural behavioral signal record for nicegui PyPI 3.12.0, verdict pending consensus synthesis at time of writing.
- npm registry, publisher profile: https://www.npmjs.com/~deadcode09284814
- Phoenix Security Shai-Hulud V2 npm scanner: https://github.com/Security-Phoenix-demo/Shai-Hulud-Sha1-Hulud-V2-npm-compromise-scanner
- localhost.run service documentation: https://localhost.run/
