malware
npm
art-template
discovered 2026-05-20JavaScript template engine compromised via social engineering acquisition fraud. Browser bundle (lib/template-web.js) injects external scripts. Phase 1 (4.13.3): String.fromCharCode obfuscation to git.youzzjizz.com. Phase 2 (4.13.5/6): plaintext injection to v3.jiathis.com delivering Coruna iOS exploit kit. Phase 3 (4.13.7): inline webpack module injection with atob() + string splitting evasion, payload pivoted to gambling redirect. Server-side Referer gating: 1 byte without Referer, full payload with Referer. Node.js entry point clean; browser bundle only.
Threat types
crypto_drainer other
Malicious versions
- 4.13.3 · 273206e2973df6ba…
- 4.13.5 · 5b5fe5d92808a732…
- 4.13.6 · 101afde88ff8b5c0…
- 4.13.7 · e27a0e28da18a797…
Campaigns
Indicators
- domain utaq.cfww.shopcommunicates-with
- domain git.youzzjizz.comcommunicates-with
- ipv4 180.178.50.158communicates-with
- ipv4 172.67.141.14communicates-with
- ipv4 104.21.40.254communicates-with
- sha256 273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868dindicates
- sha256 5b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7dindicates
- sha256 101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77indicates
- sha256 d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512findicates
- sha256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5cindicates
- sha1 57620206d62079baad0e57e6d9ec93120c0f5247indicates
- sha1 14669ca3b1519ba2a8f40be287f646d4d7593eb0indicates
- domain v3.jiathis.comcommunicates-with
- domain test.airsplu.cncommunicates-with
- domain s5gw.mki.momcommunicates-with
- domain s5dh.clubcommunicates-with
- domain l1ewsu3yjkqeroy.xyzcommunicates-with
- sha256 e27a0e28da18a7978dd0139bccf48ec5c39454fda6384c95fc0fb004b3b502a2indicates
- sha256 7c59001d7bdd0dfb04b89d2de3d71b18975b20f22b2af880911413fb29cfdff0indicates
- url https://v3.jiathis.com/code/art.jscommunicates-with
- url https://v3.jiathis.com/code/jia.jscommunicates-with
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
- email [email protected]indicates
Techniques
- ttp T1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
- ttp T1059.007 Command and Scripting Interpreter: JavaScriptuses
- ttp T1027 Obfuscated Files or Informationuses
- ttp T1203 Exploitation for Client Executionuses
- ttp T1583.001 Acquire Infrastructure: Domainsuses
- ttp T1608.004 Stage Capabilities: Drive-By Targetuses
- ttp T1199 Trusted Relationshipuses
- ttp Social Engineering Acquisition Frauduses