{
  "campaign": {
    "name": "art-template npm Supply Chain Compromise",
    "slug": "art-template-npm-supply-chain-compromise",
    "href": "/ti/campaigns/art-template-npm-supply-chain-compromise",
    "description": "Social engineering acquisition fraud targeting the maintainer of art-template (~33,600 weekly npm downloads). Malaysian company front (KILLER WHAL AI SDN BHD) tricked original author into transferring npm and GitHub ownership. Three phases over 16 months: Phase 1 (Mar 2025) testing with obfuscated injection, Phase 2 (May 2026) Coruna iOS exploit kit delivery via hijacked JiaThis domain, Phase 3 (Jun 2026) pivot to Chinese gambling/adult content traffic hijacking with Beijing timezone gating. Google TAG attributes Coruna usage to UNC6691 (Chinese, financially motivated).",
    "objective": "Traffic monetization via iOS exploitation (PLASMAGRID cryptocurrency wallet implant) and gambling/adult content redirect injection",
    "aliases": [],
    "discovered_at": "2026-05-20"
  },
  "packages": [
    {
      "ecosystem": "npm",
      "name": "art-template",
      "href": "/ti/packages/npm/art-template",
      "threat_types": [
        "crypto_drainer",
        "other"
      ],
      "versions": [
        "4.13.3",
        "4.13.5",
        "4.13.6",
        "4.13.7"
      ]
    }
  ],
  "indicators": [
    {
      "kind": "domain",
      "value": "utaq.cfww.shop",
      "href": "/ti/ioc/domain/utaq.cfww.shop",
      "context": "Former Coruna exploit kit host (Phase 2). 180.178.50.158 AS45753 Netsec Limited HK. Hosted 14 exploit modules (606KB) at /gooll/. DEAD as of 2026-07-03."
    },
    {
      "kind": "domain",
      "value": "git.youzzjizz.com",
      "href": "/ti/ioc/domain/git.youzzjizz.com",
      "context": "Former payload host (Phase 1, version 4.13.3). String.fromCharCode decoded URL. DEAD as of 2026-07-03."
    },
    {
      "kind": "ipv4",
      "value": "180.178.50.158",
      "href": "/ti/ioc/ipv4/180.178.50.158",
      "context": "IP for utaq.cfww.shop (former Coruna exploit kit host, Phase 2). AS45753 Netsec Limited, Hong Kong. DEAD."
    },
    {
      "kind": "ipv4",
      "value": "172.67.141.14",
      "href": "/ti/ioc/ipv4/172.67.141.14",
      "context": "Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD."
    },
    {
      "kind": "ipv4",
      "value": "104.21.40.254",
      "href": "/ti/ioc/ipv4/104.21.40.254",
      "context": "Cloudflare IP for l1ewsu3yjkqeroy.xyz (former C2 sync, Phase 2). DEAD."
    },
    {
      "kind": "sha256",
      "value": "273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d",
      "href": "/ti/ioc/sha256/273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868d",
      "context": "art-template@4.13.3 npm tarball (Phase 1)"
    },
    {
      "kind": "sha256",
      "value": "5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d",
      "href": "/ti/ioc/sha256/5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7d",
      "context": "art-template@4.13.5 npm tarball (Phase 2, unpublished from npm)"
    },
    {
      "kind": "sha256",
      "value": "101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77",
      "href": "/ti/ioc/sha256/101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77",
      "context": "art-template@4.13.6 npm tarball (Phase 2, unpublished from npm)"
    },
    {
      "kind": "sha256",
      "value": "d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f",
      "href": "/ti/ioc/sha256/d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512f",
      "context": "Original Coruna exploit kit payload served from v3.jiathis.com/code/jia.js (Phase 2, no longer served)"
    },
    {
      "kind": "sha256",
      "value": "f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c",
      "href": "/ti/ioc/sha256/f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c",
      "context": "49554fde7424c31c.js stage-4 Coruna malware loader (50KB, Phase 2)"
    },
    {
      "kind": "sha1",
      "value": "57620206d62079baad0e57e6d9ec93120c0f5247",
      "href": "/ti/ioc/sha1/57620206d62079baad0e57e6d9ec93120c0f5247",
      "context": "SHA-1/commit-like hash from blog post"
    },
    {
      "kind": "sha1",
      "value": "14669ca3b1519ba2a8f40be287f646d4d7593eb0",
      "href": "/ti/ioc/sha1/14669ca3b1519ba2a8f40be287f646d4d7593eb0",
      "context": "SHA-1/commit-like hash from blog post"
    },
    {
      "kind": "domain",
      "value": "v3.jiathis.com",
      "href": "/ti/ioc/domain/v3.jiathis.com",
      "context": "Payload server. Hijacked JiaThis social sharing service domain (Beijing, 2009). Re-registered through GoDaddy, routed via Cloudflare. Serves gambling redirect payload on jia.js path with Referer gating. art.js path returns 404 as of 2026-07-03. Shared Cloudflare nameservers (paislee/sean) with mki.mom."
    },
    {
      "kind": "domain",
      "value": "test.airsplu.cn",
      "href": "/ti/ioc/domain/test.airsplu.cn",
      "context": "Gambling redirect destination. Chinese gambling/adult content portal (2026 World Cup Navigation). Huawei CDN (45.197.102.29). Beijing timezone-gated redirect: 7PM-6AM 100%, daytime 30%."
    },
    {
      "kind": "domain",
      "value": "s5gw.mki.mom",
      "href": "/ti/ioc/domain/s5gw.mki.mom",
      "context": "Gambling portal backend. CNAME to 500info.win (Azure). Shares Cloudflare nameservers (paislee/sean) with jiathis.com, indicating same Cloudflare account. Baidu Analytics tracker a29b02d841cccc4c4b32f9c5dbebb0b0."
    },
    {
      "kind": "domain",
      "value": "s5dh.club",
      "href": "/ti/ioc/domain/s5dh.club",
      "context": "Gambling portal. 301 redirect to s5gw.mki.mom. Azure IPs (20.239.154.185, 20.2.192.146). Registered 2025-02-19 via GoDaddy."
    },
    {
      "kind": "domain",
      "value": "l1ewsu3yjkqeroy.xyz",
      "href": "/ti/ioc/domain/l1ewsu3yjkqeroy.xyz",
      "context": "Former C2 sync endpoint (Phase 2). Cloudflare-fronted. /api/ip-sync/sync POST every 10s with channelCode CHMK6IG08F42496C22. DEAD as of 2026-07-03."
    },
    {
      "kind": "sha256",
      "value": "e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2",
      "href": "/ti/ioc/sha256/e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2",
      "context": "art-template@4.13.7 npm tarball (Phase 3, published 2026-06-27 by npmpacketmaintainmember8)"
    },
    {
      "kind": "sha256",
      "value": "7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0",
      "href": "/ti/ioc/sha256/7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0",
      "context": "v3.jiathis.com/code/jia.js gambling redirect payload (last-modified 2026-06-30). Baidu Analytics + time-gated redirect to test.airsplu.cn."
    },
    {
      "kind": "url",
      "value": "https://v3.jiathis.com/code/art.js",
      "href": "/ti/ioc/url/url-f99f960b6c04",
      "context": "Injected script URL in art-template@4.13.6 and 4.13.7 (atob decoded from aHR0cHM6Ly92My5qaWF0aGlzLmNvbS9jb2RlL2FydC5qcw==). Returns 404 as of 2026-07-03."
    },
    {
      "kind": "url",
      "value": "https://v3.jiathis.com/code/jia.js",
      "href": "/ti/ioc/url/url-38919f0acd5c",
      "context": "Injected script URL in art-template@4.13.5 (with ?uid=artemplate param). Also loaded by legacy JiaThis widget embeddings across thousands of Chinese websites. LIVE, serving gambling redirect payload."
    },
    {
      "kind": "email",
      "value": "npmpacketmaintainmember8@proton.me",
      "href": "/ti/ioc/email/npmpacketmaintainmember8@proton.me",
      "context": "Phase 3 publisher account (npmpacketmaintainmember8). Published 4.13.7 on 2026-06-27."
    },
    {
      "kind": "email",
      "value": "goofychris69@gmail.com",
      "href": "/ti/ioc/email/goofychris69@gmail.com",
      "context": "Persistent maintainer account (daughtrymom). Controls art-template, express-art-template, art-template-loader, koa-art-template across all phases."
    },
    {
      "kind": "email",
      "value": "npmpacketmaintainmember7@proton.me",
      "href": "/ti/ioc/email/npmpacketmaintainmember7@proton.me",
      "context": "Phase 2 publisher account (npmpacketmaintainmember7). Published 4.13.5 and 4.13.6. Removed from maintainers after Phase 3."
    },
    {
      "kind": "email",
      "value": "eb8org@gmail.com",
      "href": "/ti/ioc/email/eb8org@gmail.com",
      "context": "Phase 1 publisher account (v4v5qc). Published 4.13.3 and 4.13.4. No longer a maintainer."
    },
    {
      "kind": "email",
      "value": "1987.tangbin@gmail.com",
      "href": "/ti/ioc/email/1987.tangbin@gmail.com",
      "context": "Original legitimate author (aui/tangbin). No longer a maintainer. Transferred ownership after acquisition fraud by KILLER WHAL AI SDN BHD."
    }
  ],
  "ttps": [
    {
      "name": "Supply Chain Compromise: Compromise Software Dependencies and Development Tools",
      "mitre_attack_id": "T1195.001",
      "href": "/ti/ttps/T1195.001"
    },
    {
      "name": "Command and Scripting Interpreter: JavaScript",
      "mitre_attack_id": "T1059.007",
      "href": "/ti/ttps/T1059.007"
    },
    {
      "name": "Obfuscated Files or Information",
      "mitre_attack_id": "T1027",
      "href": "/ti/ttps/T1027"
    },
    {
      "name": "Exploitation for Client Execution",
      "mitre_attack_id": "T1203",
      "href": "/ti/ttps/T1203"
    },
    {
      "name": "Acquire Infrastructure: Domains",
      "mitre_attack_id": "T1583.001",
      "href": "/ti/ttps/T1583.001"
    },
    {
      "name": "Stage Capabilities: Drive-By Target",
      "mitre_attack_id": "T1608.004",
      "href": "/ti/ttps/T1608.004"
    },
    {
      "name": "Trusted Relationship",
      "mitre_attack_id": "T1199",
      "href": "/ti/ttps/T1199"
    },
    {
      "name": "Social Engineering Acquisition Fraud",
      "href": "/ti/ttps/social-engineering-acquisition-fraud"
    }
  ],
  "related_campaigns": [],
  "reports": [
    {
      "title": "art-template npm Hijack Delivers iOS Browser Exploit Kit",
      "url": "https://safedep.io/art-template-npm-supply-chain-compromise",
      "published_at": "2026-05-20"
    }
  ]
}