Security researchers reported two separate npm supply-chain compromises that delivered malware and exploit infrastructure to downstream users. One analysis uncovered an obfuscated Node.js stealer designed to run across Windows via WSL, macOS, and Linux, with plaintext modules for browser credential theft, recursive exfiltration of sensitive files, and a WebSocket-based reverse shell. The malware targeted Chromium-based browsers and cryptocurrency wallet extensions, sent browser data, files, and command traffic to 216.126.225.243 over ports 8085, 8086, and 8087, and included host profiling plus an HMAC-SHA256 routine with a hardcoded key. Researchers noted the command-and-control IP had previously been associated with DPRK-linked OtterCookie infrastructure.
In a separate incident, Socket Threat Research said the widely used npm package art-template was compromised after repository control was transferred to an unknown actor, who inserted malicious remote-script loaders into versions 4.13.5 and 4.13.6. The injected code redirected users to a watering-hole framework at utaq.cfww.shop that selectively targeted Safari on iOS 11.0 through 17.2, beaconed device and IP data to l1ewsu3yjkqeroy.xyz, and used anti-bot checks, anti-headless logic, and WebAssembly-based fingerprinting before retrieving gated payloads. Researchers found strong overlap with the Coruna exploit kit, including version-aware targeting, XOR obfuscation, architecture-specific dispatch, and a cutoff at iOS 17.3, with additional similarities noted to UNC6691.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
The analysis revealed exfiltration and command-and-control traffic to 216.126.225.243, with browser data sent to port 8085, files to 8086, and reverse-shell/C2 traffic to 8087. The IP was noted as associated with a DPRK OtterCookie C2, suggesting a possible North Korean linkage.
A static analysis identified an obfuscated Node.js stealer targeting Windows via WSL, macOS, and Linux. Despite the wrapper obfuscation, researchers found three plaintext payloads: a browser credential stealer, a recursive sensitive-file exfiltration module, and a WebSocket-based reverse shell.
The malicious framework selectively targeted Safari on iOS versions 11.0 through 17.2, beaconed victim IP and device version data to l1ewsu3yjkqeroy.xyz, and used anti-bot, anti-headless, and WebAssembly-based fingerprinting before fetching payload modules. Researchers assessed the framework as Coruna or a close derivative, with noted similarities to UNC6691 pending further infrastructure analysis.
After taking over the repository, the actor inserted malicious remote-script loaders into art-template versions 4.13.5 and 4.13.6. The injected code redirected users to a watering-hole framework hosted on utaq.cfww.shop.
Socket Threat Research reported that control of the art-template npm repository was transferred to an unknown actor, enabling a later supply-chain compromise. The exact transfer date was not provided in the reference.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
4 references tracked. Mallory keeps watching after this page renders.
isc.sans.edu
Open sourcedshield.org
Open sourceisc.sans.edu
Open sourcesocket.dev
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.