npm

art-template

art-template is identified in the SafeDep analysis "art-template npm Hijack Delivers iOS Browser Exploit Kit". art-template versions 4.13.3 through 4.13.6 were compromised via maintainer account takeover. The browser bundle injects scripts that deliver a full iOS exploit kit: WebAssembly type confusion, JIT heap spray, ASLR bypass via dyld cache parsing, and 31KB of ARM64 shellcode targeting iPhone and iPad.

discovered 2026-05-20

Threat types

other

Malicious versions

4.13.3

Campaigns

No Specific Campaignattributed-to

Indicators

domainutaq.cfww.shopcommunicates-with
domaingit.youzzjizz.comcommunicates-with
ipv4180.178.50.158communicates-with
ipv4172.67.141.14communicates-with
ipv4104.21.40.254communicates-with
sha256273206e2973df6ba7474aa66693797c98dcf26b794da4c3e863ab8d8c694868dindicates
sha2565b5fe5d92808a732d0d44246cd706295cc739ed7f4dcae19112df666bc5d4f7dindicates
sha256101afde88ff8b5c02fd341eda55022a39203088c2ff11dcb73214911cf5afb77indicates
sha256d8e3973a0b3c5359d1f53a22491b56bdd31dee13a51c01c7126bc6694584512findicates
sha256f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5cindicates
sha157620206d62079baad0e57e6d9ec93120c0f5247indicates
sha114669ca3b1519ba2a8f40be287f646d4d7593eb0indicates

Techniques

ttpT1195.001 Supply Chain Compromise: Compromise Software Dependencies and Development Toolsuses
ttpT1059.007 Command and Scripting Interpreter: JavaScriptuses
ttpT1027 Obfuscated Files or Informationuses
ttpT1203 Exploitation for Client Executionuses

Read the full analysis →