art-template npm Supply Chain Compromise

discovered 2026-05-20

Social engineering acquisition fraud targeting the maintainer of art-template (~33,600 weekly npm downloads). Malaysian company front (KILLER WHAL AI SDN BHD) tricked original author into transferring npm and GitHub ownership. Three phases over 16 months: Phase 1 (Mar 2025) testing with obfuscated injection, Phase 2 (May 2026) Coruna iOS exploit kit delivery via hijacked JiaThis domain, Phase 3 (Jun 2026) pivot to Chinese gambling/adult content traffic hijacking with Beijing timezone gating. Google TAG attributes Coruna usage to UNC6691 (Chinese, financially motivated).

Objective

Traffic monetization via iOS exploitation (PLASMAGRID cryptocurrency wallet implant) and gambling/adult content redirect injection

Packages

Indicators

Techniques

Read the full analysis →