Embedded Malicious Code Affecting art-template package, versions =4.13.3=4.13.5=4.13.6
Threat Intelligence
Snyk has reported that there have been attempts or successful attacks targeting this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-ARTTEMPLATE-16779844
- published20 May 2026
- disclosed20 May 2026
- creditUnknown
Introduced: 20 May 2026
New Malicious CVE NOT AVAILABLE CWE-506 (opens in a new tab)How to fix?
Avoid using all malicious instances of the art-template package.
Overview
art-template is a simple and superfast templating engine that optimizes template rendering speed by scope pre-declared technique, hence achieving runtime performance which is close to the limits of JavaScript. At the same time, it supports both NodeJS and browser.
Affected versions of this package are vulnerable to Embedded Malicious Code that operates as a multi-stage loader designed to target end-users' browsers. While it loads a Baidu Analytics tracker for all visitors, its primary goal is to target iPhone users. If an iPhone is detected, it silently loads a hidden iframe that delivers the Coruna exploit kit. This highly sophisticated exploit framework leverages a chain of iOS vulnerabilities, including CVE-2024-23222, to bypass browser security, achieve native code execution, and drop a final-stage malware payload (PLASMAGRID) aimed at stealing funds from cryptocurrency wallets.
Note:
The injection affects browser-side consumers only, not server-side Node.js usage.
Timeline:
4.13.3 - March 12, 2025 - Obfuscated
String.fromCharCodeinjection, stripped package (6 files)4.13.4 - March 14, 2025 - No injection detected, full package restored
4.13.5 - May 19, 2026 - Plaintext script injection:
v3.jiathis[.]com/code/jia.js?uid=artemplate4.13.6 - May 20, 2026 - Plaintext script injection:
v3.jiathis[.]com/code/art.js