- Attackers published 27 packages to the npm registry to host browser-based phishing lures that harvest credentials.
- The campaign targeted sales and commercial staff at critical-infrastructure-adjacent firms across the U.S. and allied countries and hard-coded 25 specific email addresses.
- Packages used client-side HTML/JavaScript, CDN Hosting, bot and Sandbox evasion, obfuscation, and hidden honeypot fields to resist analysis.
- Defenses include strict dependency verification, logging unusual CDN requests, phishing-resistant MFA, and post-authentication monitoring.
Security researchers disclosed a sustained spear-phishing operation that uploaded 27 packages to the npm registry to host credential-harvesting lures targeting sales and commercial staff at critical infrastructure–adjacent organizations in the U.S. and allied nations, researchers Nicholas Anderson and Kirill Boychenko said. “A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations…”
The attackers did not rely on victims installing packages. Instead, they used package CDNs to serve embedded client-side HTML and JavaScript that impersonated secure document portals and redirected victims to Microsoft sign-in pages with email fields pre-filled. Package names included items such as “onedrive-verification” and “secure-docs-app” among a total of 27 uploads.
Packages contained multiple anti-analysis measures: filters for bots, sandbox evasion, mouse or touch input requirements, heavy minification or obfuscation, and hidden honeypot form fields that block automated crawlers. Domains tied to these packages overlap with adversary‑in‑the‑middle phishing infrastructure associated with Evilginx.
Researchers noted the campaign is distinct from prior waves like Beamglea and that delivery methods changed. “This campaign follows the same core playbook, but with different delivery mechanics,” the report said.
The packages contained 25 hard-coded email addresses linked to account managers, sales, and business development representatives across manufacturing, industrial automation, plastics, polymer supply chains, and healthcare in multiple countries. How attackers collected the emails is unknown, though trade-show attendee lists and open-web reconnaissance are suspected.
To reduce risk, organizations should enforce strict dependency verification, log unusual CDN requests from non-development contexts, require phishing-resistant multi-factor authentication, and monitor for suspicious post-authentication events. Observers also reported a broader rise in destructive Malware across npm, PyPI, NuGet Gallery, and Go module indexes that use delayed execution and remote kill switches, as Kush Pandya said. “Rather than encrypting disks or indiscriminately destroying files, these packages tend to operate surgically,” he added. “They delete only what matters to developers: Git repositories, source directories, configuration files, and CI build outputs.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- BRICS Sell $28.8B in Treasuries as Dollar Faces Risks (2026)
- 66k ETH Borrow Adds $121M to Trend Research’s Wallet Boosted
- Bitcoin drops below $88K, altcoins fall as futures slide now
- CVE-2025-14847 ‘MongoBleed’ exposes 87,000 MongoDB Worldwide
- US Banks Rush Into Blockchain; 14 Building Bitcoin Tools Now
