A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS browser exploit kit through a supply chain attack.
The backdoored package silently dropped malicious code into end users’ browsers, turning everyday web applications into watering holes targeting Apple device owners worldwide.
The attack began when the art-template npm package, originally developed by a maintainer known as “aui,” was handed over to an unknown actor under the pretense of continuing its maintenance.
According to the original author, the new controller almost immediately began weaponizing the package. Issue reports flagging the suspicious behavior were quietly deleted while the attacker continued pushing malicious versions to suppress discovery.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified the campaign and linked it to a previously documented iOS exploit framework called the Coruna exploit kit.
Their analysis, titled “Coruna Respawned,” revealed the implant inside the backdoored package closely mirrors delivery patterns from that earlier framework, suggesting direct reuse or a near-identical derivative.
The backdoored versions followed an escalating injection pattern across multiple releases. Version 4.13.3 used encoding to hide a loader pointing to a suspicious external domain.
Versions 4.13.5 and 4.13.6 dropped the obfuscation entirely and injected a plaintext script loader directly into the package’s browser bundle file. Any web application that included those versions would silently load and execute the exploit kit in every visitor’s browser.
The scale of exposure is significant given how widely the package was used across JavaScript projects globally.
Developers who unknowingly bundled the affected versions became unwitting delivery vehicles for a targeted mobile attack against their own users, with no visible sign that anything had changed.
Hackers Backdoor Popular art-template npm Package
The core of the attack is a JavaScript implant that functions as a watering hole exploit delivery framework. Once injected through the compromised npm package, it quietly fingerprints each site visitor.
The implant only activates on Safari running on iOS 11.0 through 17.2, and silently exits on Chrome, Firefox, Edge, Android, and iOS 17.3 or higher.
Once a matching device is detected, the implant begins beaconing the victim’s public IP address, iOS version string, and a campaign tracking code to a command-and-control server every ten seconds.
It also runs five layers of anti-bot checks — including MathML rendering tests and a WebAssembly proof-of-work challenge — to confirm the target is a real person on actual hardware. Only after passing all checks does the framework fetch and execute the final server-gated payload.
Payload selection is tailored to the victim’s iOS version, with each of five version bands mapping to a different remote exploit module.
Researchers found the hard cutoff at iOS 17.3 aligns precisely with the patch boundary for CVE-2024-23222, a WebKit vulnerability Apple fixed at that exact release. That precision strongly suggests browser-level exploitation rather than conventional phishing.
npm Supply Chain Entry Point
The full delivery chain flowed from the corrupted npm package directly to the victim’s device. Versions 4.13.5 and 4.13.6 appended a script loader to the browser-side bundle, which called out to an external domain.
That domain redirected visitors to a watering hole page embedding the exploit framework. From the moment any site using those versions was visited, the attack activated silently in the background.
The implant uses a content-addressed module system to conceal payloads from outside observers. Remote modules are fetched via URLs derived by hashing a secret session key with a module identifier, making them invisible to scanners that do not know the key.
This design matches infrastructure patterns documented for the original Coruna kit, including identical XOR obfuscation confirmed by published YARA rules. Developers are urged to audit dependency trees for art-template versions 4.13.3 through 4.13.6.
Locking dependencies, reviewing browser bundle outputs for unexpected script loaders, and monitoring outbound network requests from JavaScript runtimes are the primary mitigations. Any application deployed with affected versions should undergo an immediate security review.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionDomainv3.jiathis[.]comExternal script host injected by art-template 4.13.5/4.13.6 via loadScript() in lib/template-web.jsURLhxxps://v3.jiathis[.]com/code/art.jsMalicious script loader fetched by art-template 4.13.6URLhxxps://v3.jiathis[.]com/code/jia.js?uid=artemplateMalicious script loader fetched by art-template 4.13.5Domainutaq[.]cfww[.]shopWatering hole hosting domain; serves exploit delivery framework and all remote payload modulesURLhxxps://utaq[.]cfww[.]shop/gooll/gooll.htmlWatering hole landing page embedding the Coruna-like exploit frameworkURLhxxps://utaq[.]cfww[.]shop/gooll/49554fde7424c31c.jsPrimary JavaScript implant file; iOS Safari exploit delivery frameworkDomainl1ewsu3yjkqeroy[.]xyzC2 server receiving victim IP beacons every 10 seconds via POST to /api/ip-sync/syncURLhttps://l1ewsu3yjkqeroy[.]xyz/api/ip-sync/syncC2 beacon endpoint receiving victim IP address, iOS version, and campaign tracking codeURL IP oracle used by implant to resolve victim’s public IP before C2 POSTDomaingit.youzzjizz[.]comExternal loader domain used in the older art-template 4.13.3 injection (git.youzzjizz[.]com/git.js)File Name49554fde7424c31c.jsJavaScript implant filename; the watering hole exploit delivery frameworkFile Namelib/template-web.jsCompromised file inside the art-template npm package where the loadScript() injection was placedSHA-256f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5cSHA-256 hash of 49554fde7424c31c.js (the primary implant file)SHA-18064d4e0322f069b3dba13e7957ff0ca7dab7984SHA-1 hash of 49554fde7424c31c.jsMD56e79ae622b7ef30f31fdbcc2dc65339eMD5 hash of 49554fde7424c31c.jsString / Session Keycecd08aa6ff548c2Session key used by implant to derive remote payload module URLs via content-addressed SHA-256 hashingString / Campaign CodeCHMK6IG08F42496C22Campaign tracking code beaconed to C2 with every victim check-inPackage Versionpkg:npm/art-template@4.13.3First backdoored version using String.fromCharCode encoding to hide loaderPackage Versionpkg:npm/art-template@4.13.5Backdoored version with plaintext loadScript() injection pointing to jiathis domainPackage Versionpkg:npm/art-template@4.13.6Backdoored version with updated plaintext loadScript() injection
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks appeared first on Cyber Security News.
