Back

art-template npm Package Compromised to Deliver Coruna-Like iOS Exploit

Severity: High (Score: 69.5)

Sources: Gbhackers, Technadu, socket.dev

Published: 2026-05-22 · Updated: 2026-05-22

Keywords: package, art-template, popular, watering, compromised, exploit, backdoored

Severity indicators: pla, backdoor

Summary

The art-template npm package was compromised to deliver a Coruna-like exploit targeting iOS devices. Discovered on May 20, 2026, the attack utilized a watering-hole method to redirect users to a malicious site. The exploit specifically targets iOS versions 11.0 to 17.2, rejecting newer versions to avoid detection. Attackers used both obfuscated and plaintext methods to inject malicious scripts into the library. The exploit framework includes five full exploit chains and 23 individual exploits. This incident highlights the risks associated with supply chain attacks in open-source software. Socket Threat Research confirmed the exploit's alignment with the established Coruna exploit kit. Users of the art-template package are urged to take immediate precautions. Key Points: • The art-template npm package was compromised to deliver a targeted iOS exploit. • The exploit affects iOS versions 11.0 to 17.2, specifically targeting Safari users. • The attack utilized both obfuscation techniques and direct script injections.

Detailed Analysis

**Impact** Users of the art-template npm package, a widely used JavaScript templating library, were affected by a supply chain attack that delivered a Coruna-like iOS exploit framework. The campaign targeted iPhone users running Safari on iOS versions 11.0 through 17.2, potentially impacting millions of devices globally. The exploit framework contains five full exploit chains and 23 individual exploits, enabling remote code execution on vulnerable iOS versions. No specific sectors or geographic concentrations were detailed in the sources. **Technical Details** Attackers compromised versions 4.13.3 through 4.13.6 of the art-template package, initially using String.fromCharCode obfuscation before switching to plaintext loadScript injections in lib/template-web.js. The injected code redirected browsers through v3.jiathis.com and utaq.cfww.shop domains to a C2 server at l1ewsu3yjkqeroy[.]xyz. The implant exclusively targets Safari on iOS 11.0 to 17.2, terminating on iOS 17.3 and above, and delivers a Coruna-class exploit kit with five WebContent RCE exploit chains. No CVEs were explicitly mentioned. **Recommended Response** Immediately audit and update dependencies to remove compromised versions of art-template (4.13.3 to 4.13.6). Block and monitor network traffic to the domains v3.jiathis.com, utaq.cfww.shop, and the C2 server l1ewsu3yjkqeroy[.]xyz. Deploy detections for unusual script injections in JavaScript libraries, especially loadScript calls in lib/template-web.js. Monitor iOS devices for signs of exploitation and ensure devices are updated to iOS 17.3 or later to mitigate risk.

Source articles (3)

  • Popular npm Package “art-template” Backdoored in Watering — Gbhackers · 2026-05-22
    Hackers compromised the popular art-template npm package to inject a stealthy backdoor that redirected users’ browsers to a malicious watering‑hole site delivering a Coruna‑class iOS exploit framework…
  • Coruna Respawned Compromised Art Template Npm Package — socket.dev · 2026-05-21
  • Compromised art-template npm Package Delivers Coruna-Like iOS Exploit — Technadu · 2026-05-21
    A highly sophisticated package compromise involving art-template, a widely utilized JavaScript templating library originally authored by a developer known as aui, exposed a critical supply chain attac…

Timeline

  • 2026-05-20 — Compromise of art-template detected: Socket Threat Research identified the compromise of the art-template npm package, which delivered a Coruna-like exploit.
  • 2026-05-21 — Technadu publishes details of the attack: Technadu reported on the sophisticated supply chain attack involving the art-template package.
  • 2026-05-22 — Gbhackers reports on the backdoor: Gbhackers detailed the backdoor injected into the art-template package, emphasizing its stealthy nature.

Related entities

  • Watering Hackers (Apt Group)
  • Malware (Attack Type)
  • Supply Chain Attack (Attack Type)
  • L3Harris (Company)
  • Trenchant (Company)
  • l1ewsu3yjkqeroy.xyz (Domain)
  • v3.jiathis.com (Domain)
  • Coruna (Malware)
  • DarkSword (Malware)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1189 - Drive-by Compromise (Mitre Attack)
  • T1195 - Supply Chain Compromise (Mitre Attack)
  • T1203 - Exploitation for Client Execution (Mitre Attack)
  • IOS (Platform)
  • Safari (Platform)
  • Coruna Exploit Kit (Tool)
  • DarkSword IPhone Exploit Kit (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed