art-template npm Coruna Browser Exploit Compromise
The npm package art-template was compromised in versions 4.13.5 and 4.13.6 to inject remote browser-side JavaScript that redirected users into a Coruna-like iOS Safari exploit delivery chain.
- Date:
- Severity:
- high
- Sources:
- 1
Executive Summary
Socket reported that the long-standing npm package art-template was compromised after maintainer control changed, with affected versions injecting browser-side script loads into lib/template-web.js. Socket names art-template@4.13.5 and art-template@4.13.6 as compromised packages, with 4.13.3 described as an earlier encoded loader stage Socket.
This incident is different from install-time developer malware. A vulnerable build can ship the modified browser bundle to end users, where injected JavaScript loads attacker-controlled code and routes traffic through a Coruna-like Safari/iOS exploit-delivery framework. Defenders should remove affected versions, rebuild application assets, and invalidate caches that may contain the poisoned bundle Socket.
Key Facts
threat_type: "npm package compromise and browser-side exploit delivery"
ecosystem: "npm"
registry: "npmjs.com"
affected_packages:
- "art-template"
malicious_versions:
- "4.13.5"
- "4.13.6"
known_good_versions: []
fixed_or_safe_versions:
- "unknown; use maintainer-confirmed clean release and rebuild assets"
execution_trigger: "browser loads bundled art-template lib/template-web.js containing injected loadScript calls"
primary_impact: "browser exploit delivery, end-user redirection, potential client compromise"
campaign_context: "Socket links the delivery chain to a Coruna-like mobile exploit framework."
confidence: "high"
canonical_source: "https://socket.dev/blog/coruna-respawned-compromised-art-template-npm-package"
last_verified: "2026-05-24"Source Confidence & Evidence Mapping
- confirmed: Socket identifies
art-template@4.13.5andart-template@4.13.6as compromised npm versions Socket. - confirmed: The injected browser-side code loads remote JavaScript from
v3[.]jiathis[.]comand routes intocfww[.]shopinfrastructure Socket. - confirmed: Socket reports Safari/iOS targeting and anti-bot checks in the downstream delivery chain Socket.
- unclear: The final exploitation module behavior was still under analysis in public reporting, so impact should be treated as potential browser compromise rather than a fully documented post-exploitation chain.
Attack Execution Flow
sequenceDiagram
autonumber
actor Attacker
participant NPM as npm Registry
participant Build as Application Build
participant Browser as End User Browser
participant C2 as Exploit Delivery Infrastructure
Attacker->>NPM: Publish compromised art-template version
NPM->>Build: Dependency is installed and bundled
Build->>Browser: Application serves poisoned template-web.js
Browser->>C2: Injected script loads remote JavaScript
C2->>Browser: Fingerprint and route to exploit modulesTimeline
- 2026-05-20 Socket publishes public research on the compromised
art-templatenpm package and Coruna-like exploit delivery chain Socket. - 2026-05-24 This local feed split creates a standalone
art-templatearticle instead of keeping it inside a weekly roundup.
What Happened
art-template is a browser-capable JavaScript templating package. Socket reports that after a maintainer change, new versions introduced remote script loading into the package’s browser bundle. This is operationally dangerous because the malicious code can move from a developer dependency into production web assets.
The payload path described by Socket begins with injected script loading from v3[.]jiathis[.]com, then routes into utaq[.]cfww[.]shop infrastructure. The delivery framework checks browser and device characteristics, with a focus on Safari/iOS conditions, before continuing into content-addressed modules Socket.
Technical Analysis
Initial Access
Socket describes a package stewardship change before the malicious versions were published. The public evidence does not prove whether that was a legitimate transfer later abused, a social-engineering event, or an account compromise Socket.
Package or Artifact Tampering
The key tampering occurs in lib/template-web.js, where malicious versions inject loadScript() behavior that pulls remote JavaScript. Socket also describes an earlier encoded loader pattern in 4.13.3, but its IoC list names 4.13.5 and 4.13.6 as compromised package versions Socket.
Execution Trigger
Execution happens when an application or website serves a bundle containing the affected art-template browser code and an end user loads it. This means package removal alone is not enough if poisoned assets were already built and cached.
Payload Behavior
The browser-side chain loads remote JavaScript, fingerprints the client, filters automated environments, checks Safari/iOS conditions, and then fetches additional modules from attacker infrastructure. Socket connects the behavior to a Coruna-like exploit delivery framework Socket.
Exfiltration / C2
Observed network indicators include v3[.]jiathis[.]com, utaq[.]cfww[.]shop, cfww[.]shop, and l1ewsu3yjkqeroy[.]xyz. Treat these as browser-side web telemetry, CDN, and proxy hunting pivots.
Propagation
No package-to-package propagation is confirmed. The blast radius grows through downstream builds and caches: npm install, bundling, deployment, CDN caching, and end-user browser execution.
Obfuscation or Evasion
Evasion is focused on browser targeting and analysis avoidance. The chain includes anti-bot checks, Safari/iOS gating, and staged content-addressed module loading Socket.
MITRE ATT&CK Mapping
| Tactic | Technique ID | Technique Name | Observed Behavior |
|---|---|---|---|
| Initial Access | T1195.002 | Compromise Software Supply Chain | Compromised npm package delivered browser-side malicious code. |
| Execution | T1059.007 | JavaScript | Injected JavaScript executed in end-user browsers. |
| Command and Control | T1102 | Web Service | Browser payloads loaded from attacker-controlled web infrastructure. |
| Defense Evasion | T1027 | Obfuscated Files or Information | Staged and encoded browser-side loaders complicated static analysis. |
Affected Assets and Blast Radius
affected_assets:
ecosystems:
- "npm"
packages:
- "art-template"
versions:
- "4.13.5"
- "4.13.6"
repositories: []
ci_cd_systems:
- "npm build pipelines"
- "frontend asset build pipelines"
container_images: []
developer_tools:
- "npm"
- "JavaScript bundlers"
- "CDN/web deployment systems"
credentials_at_risk:
- "unknown; browser-side exploitation impact was not fully public in reviewed source"
not_currently_known_to_affect:
- "Server-only use that never bundles or serves affected browser files, pending local verification."Indicators of Compromise
package_versions:
- "art-template 4.13.5"
- "art-template 4.13.6"
files:
- "lib/template-web.js"
- "49554fde7424c31c.js"
hashes:
- "dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086"
- "387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41"
domains:
- "v3[.]jiathis[.]com"
- "utaq[.]cfww[.]shop"
- "cfww[.]shop"
- "l1ewsu3yjkqeroy[.]xyz"
- "ipv4[.]icanhazip[.]com"
urls:
- "hxxps://v3[.]jiathis[.]com/code/jia.js?uid=artemplate"
- "hxxps://v3[.]jiathis[.]com/code/art.js"
- "hxxps://utaq[.]cfww[.]shop/gooll/gooll.html"
- "hxxps://utaq[.]cfww[.]shop/gooll/49554fde7424c31c.js"
- "hxxps://l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync"
ips: []
process_patterns: []
network_patterns:
- "browser requests to v3[.]jiathis[.]com/code/art.js"
- "browser requests to utaq[.]cfww[.]shop/gooll/"
- "POST or beacon to l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync"
provenance_signals:
- "art-template package versions published after unexpected maintainer transfer"Detection and Hunting
lockfiles:
- "Search package-lock.json, pnpm-lock.yaml, yarn.lock, npm-shrinkwrap.json, and SBOMs for art-template 4.13.5 or 4.13.6."
filesystem:
- "Search built assets and node_modules for v3.jiathis.com, cfww.shop, l1ewsu3yjkqeroy.xyz, and 49554fde7424c31c.js."
process:
- "Not a primary host-process hunt; focus on build artifacts and browser/proxy telemetry."
network:
- "Search CDN, proxy, WAF, and browser telemetry for listed domains and URLs."
github_audit: []
ci_cd:
- "Identify builds that installed or bundled art-template 4.13.5 or 4.13.6."
registry:
- "Block art-template 4.13.5 and 4.13.6."
sigma_candidates:
- "Proxy: Browser Load of art-template Coruna Infrastructure"
yara_candidates:
- "JavaScript bundle containing v3.jiathis.com/code/art.js and art-template loader strings"Remediation Workflow
- Immediate: Remove
art-template@4.13.5and4.13.6, block listed domains, and identify deployed web assets built with affected versions. - Short-term: Rebuild frontend bundles from a clean dependency cache, invalidate CDN and browser caches where feasible, and review web telemetry for exploit-delivery requests.
- Long-term: Gate frontend dependency updates, scan built assets for unexpected third-party script loads, and maintain an emergency cache-invalidation process for compromised browser packages.
Defensive Lessons
- prevent: Browser-delivered package compromises require production asset controls, not only developer endpoint controls.
- detect: Scan built JavaScript artifacts for new remote script loads and suspicious domains.
- respond: Assume poisoned assets can persist in CDN and browser caches after package removal.
Open Questions
- Did
art-template@4.13.3reach enough downstream builds to require a formal block alongside4.13.5and4.13.6? - What was the final exploit payload for clients that passed the Safari/iOS checks?
- Which production websites served affected bundles before removal?
Sources
- Socket: Coruna Respawned: Compromised art-template npm Package - Role: PRIMARY_RESEARCH - Impact: Documents affected versions, injected browser scripts, domains, hashes, targeting logic, and remediation guidance.
Machine-Readable Event Profile
{
"schema_version": "2.0",
"event_id": "art-template-coruna-npm-compromise-2026-05-20",
"event_name": "art-template npm Coruna Browser Exploit Compromise",
"publication_state": "publish_ready",
"confidence": "high",
"attack_types": ["npm package compromise", "browser exploit delivery", "JavaScript injection"],
"sources": {
"direct": [],
"primary_research": ["https://socket.dev/blog/coruna-respawned-compromised-art-template-npm-package"],
"correlated": []
},
"affected_assets": {
"ecosystems": ["npm"],
"packages": ["art-template"],
"versions": ["4.13.5", "4.13.6"],
"repositories": [],
"ci_cd_systems": ["npm build pipelines", "frontend asset build pipelines"],
"container_images": [],
"developer_tools": ["npm", "JavaScript bundlers", "CDN/web deployment systems"],
"credentials_at_risk": ["unknown"]
},
"timeline": {
"first_seen": "unknown",
"malicious_publish_time": "unknown",
"discovery_time": "2026-05-20",
"removal_time": "unknown",
"disclosure_time": "2026-05-20",
"patch_or_fix_time": "unknown"
},
"artifact_analysis": {
"malicious_artifacts": ["lib/template-web.js", "49554fde7424c31c.js"],
"execution_trigger": "browser loads bundled art-template asset",
"payload_behavior": ["remote script load", "browser fingerprinting", "Safari/iOS targeting", "exploit module staging"]
},
"iocs": {
"package_versions": ["art-template@4.13.5", "art-template@4.13.6"],
"files": ["lib/template-web.js", "49554fde7424c31c.js"],
"hashes": ["dd9c0268c8944e6ddf90d4d0c81aa843785b7a9ee965faa635841ed9fc0ba086", "387d7ea5ca733b1e7219c943f4b461877a8df0148adfef42b1538b6c398fbb41"],
"domains": ["v3.jiathis.com", "utaq.cfww.shop", "cfww.shop", "l1ewsu3yjkqeroy.xyz", "ipv4.icanhazip.com"],
"urls": ["https://v3.jiathis.com/code/art.js", "https://utaq.cfww.shop/gooll/gooll.html", "https://utaq.cfww.shop/gooll/49554fde7424c31c.js", "https://l1ewsu3yjkqeroy.xyz/api/ip-sync/sync"],
"ips": [],
"process_patterns": [],
"network_patterns": ["browser requests to v3.jiathis.com", "browser requests to cfww.shop infrastructure"]
},
"detection": {
"lockfile_hunts": ["art-template 4.13.5 or 4.13.6"],
"filesystem_hunts": ["v3.jiathis.com", "cfww.shop", "l1ewsu3yjkqeroy.xyz"],
"process_hunts": [],
"network_hunts": ["v3.jiathis.com", "utaq.cfww.shop", "l1ewsu3yjkqeroy.xyz"],
"ci_cd_hunts": ["frontend builds with affected versions"],
"registry_hunts": ["block affected npm versions"]
},
"open_questions": ["final exploit behavior", "production site exposure", "whether 4.13.3 should be blocked"],
"defender_takeaways": {
"detection": "Scan built assets and browser telemetry, not just developer endpoints.",
"hunting": "Find affected lockfiles and deployed bundles containing the injected domains.",
"remediation": "Rebuild and invalidate caches after removing the bad npm versions.",
"prevention": "Monitor frontend bundles for unexpected remote script loaders."
}
}