Hackers Backdoor art-template npm Package for Watering-
A widely-used JavaScript templating library, art-template, has fallen victim to a sophisticated supply chain attack, compromising its npm package. This incident, detailed by researchers at <a...
A widely-used JavaScript templating library, art-template, has fallen victim to a sophisticated supply chain attack, compromising its npm package. This incident, detailed by researchers at <a href="https://socket.dev/blog/coruna-
The backdoored package silently dropped malicious code into end users’ browsers, turning everyday web applications into watering holes targeting Apple device owners worldwide.
The attack began when the art-template npm package, originally developed by a maintainer known as “aui,” was handed over to an unknown actor under the pretense of continuing its maintenance.
According to the original author, the new controller almost immediately began weaponizing the package. Issue reports flagging the suspicious behavior were quietly deleted while the attacker continued pushing malicious versions to suppress discovery.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified the campaign and linked it to a previously documented iOS exploit framework called the Coruna exploit kit.
Their analysis, titled “Coruna Respawned,” revealed the implant inside the backdoored package closely mirrors delivery patterns from that earlier framework, suggesting direct reuse or a near-identical derivative.
The backdoored versions followed an escalating injection pattern across multiple releases. Version 4.13.3 used encoding to hide a loader pointing to a suspicious external domain.
Versions 4.13.5 and 4.13.6 dropped the obfuscation entirely and injected a plaintext script loader directly into the package’s browser bundle file. Any web application that included those versions would silently load and execute the exploit kit in every visitor’s browser.
The scale of exposure is significant given how widely the package was used across JavaScript projects globally.
Developers who unknowingly bundled the affected versions became unwitting delivery vehicles for a targeted mobile attack against their own users, with no visible sign that anything had changed.
Hackers Backdoor Popular art-template npm Package
The core of the attack is a JavaScript implant that functions as a watering hole exploit delivery framework. Once injected through the compromised npm package, it quietly fingerprints each site visitor.
The implant only activates on Safari running on iOS 11.0 through 17.2, and silently exits on Chrome, Firefox, Edge, Android, and iOS 17.3 or higher.
Once a matching device is detected, the implant begins beaconing the victim’s public IP address, iOS version string, and a campaign tracking code to a command-and-control server every ten seconds.
It also runs five layers of anti-bot checks — including MathML rendering tests and a WebAssembly proof-of-work challenge — to confirm the target is a real person on actual hardware. Only after passing all checks does the framework fetch and execute the final server-gated payload.
Payload selection is tailored to the victim’s iOS version, with each of five version bands mapping to a different remote exploit module.
Researchers found the hard cutoff at iOS 17.3 aligns precisely with the patch boundary for CVE-2024-23222, a WebKit vulnerability Apple fixed at that exact release. That precision strongly suggests browser-level exploitation rather than conventional phishing.
npm Supply Chain Entry Point
The full delivery chain flowed from the corrupted npm package directly to the victim’s device. Versions 4.13.5 and 4.13.6 appended a script loader to the browser-side bundle, which called out to an external domain.
That domain redirected visitors to a watering hole page embedding the exploit framework. From the moment any site using those versions was visited, the attack activated silently in the background.
The implant uses a content-addressed module system to conceal payloads from outside observers. Remote modules are fetched via URLs derived by hashing a secret session key with a module identifier, making them invisible to scanners that do not know the key.
This design matches infrastructure patterns documented for the original Coruna kit, including identical XOR obfuscation confirmed by published YARA rules. Developers are urged to audit dependency trees for art-template versions 4.13.3 through 4.13.6.
Locking dependencies, reviewing browser bundle outputs for unexpected script loaders, and monitoring outbound network requests from JavaScript runtimes are the primary mitigations. Any application deployed with affected versions should undergo an immediate security review.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Domain | v3.jiathis[.]com |
External script host injected by art-template 4.13.5/4.13.6 via loadScript() in lib/template-web.js |
| URL | hxxps://v3.jiathis[.]com/code/art.js |
Malicious script loader fetched by art-template 4.13.6 |
| URL | hxxps://v3.jiathis[.]com/code/jia.js?uid=artemplate |
Malicious script loader fetched by art-template 4.13.5 |
| Domain | utaq[.]cfww[.]shop |
Watering hole hosting domain; serves exploit delivery framework and all remote payload modules |
| URL | hxxps://utaq[.]cfww[.]shop/gooll/gooll.html |
Watering hole landing page embedding the Coruna-like exploit framework |
| URL | hxxps://utaq[.]cfww[.]shop/gooll/49554fde7424c31c.js |
Primary JavaScript implant file; iOS Safari exploit delivery framework |
| Domain | l1ewsu3yjkqeroy[.]xyz |
C2 server receiving victim IP beacons every 10 seconds via POST to /api/ip-sync/sync |
| URL | https://l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync |
C2 beacon endpoint receiving victim IP address, iOS version, and campaign tracking code |
| URL | https://ipv4.icanhazip.com |
Legitimate IP oracle used by implant to resolve victim’s public IP before C2 POST |
| Domain | git.youzzjizz[.]com |
External loader domain used in the older art-template 4.13.3 injection (git.youzzjizz[.]com/git.js) |
| File Name | 49554fde7424c31c.js |
JavaScript implant filename; the watering hole exploit delivery framework |
| File Name | lib/template-web.js |
Compromised file inside the art-template npm package where the loadScript() injection was placed |
| SHA-256 | f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c |
SHA-256 hash of 49554fde7424c31c.js (the primary implant file) |
| SHA-1 | 8064d4e0322f069b3dba13e7957ff0ca7dab7984 |
SHA-1 hash of 49554fde7424c31c.js |
| MD5 | 6e79ae622b7ef30f31fdbcc2dc65339e |
MD5 hash of 49554fde7424c31c.js |
| String / Session Key | cecd08aa6ff548c2 |
Session key used by implant to derive remote payload module URLs via content-addressed SHA-256 hashing |
| String / Campaign Code | CHMK6IG08F42496C22 |
Campaign tracking code beaconed to C2 with every victim check-in |
| Package Version | pkg:npm/[email protected] |
First backdoored version using String.fromCharCode encoding to hide loader |
| Package Version | pkg:npm/[email protected] |
Backdoored version with plaintext loadScript() injection pointing to jiathis domain |
| Package Version | pkg:npm/[email protected] |
Backdoored version with updated plaintext loadScript() injection |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.