malware npm

art-template

discovered 2026-05-20

JavaScript template engine compromised via social engineering acquisition fraud. Browser bundle (lib/template-web.js) injects external scripts. Phase 1 (4.13.3): String.fromCharCode obfuscation to git.youzzjizz.com. Phase 2 (4.13.5/6): plaintext injection to v3.jiathis.com delivering Coruna iOS exploit kit. Phase 3 (4.13.7): inline webpack module injection with atob() + string splitting evasion, payload pivoted to gambling redirect. Server-side Referer gating: 1 byte without Referer, full payload with Referer. Node.js entry point clean; browser bundle only.

Threat types

crypto_drainer other

Malicious versions

  • 4.13.3 · 273206e2973df6ba…
  • 4.13.5 · 5b5fe5d92808a732…
  • 4.13.6 · 101afde88ff8b5c0…
  • 4.13.7 · e27a0e28da18a797…

Campaigns

Indicators

Techniques

Read the full analysis →