Oct 10, 2025Ravie LakshmananCybercrime / Malware
Cybersecurity researchers have flagged a brand new set of 175 malicious packages on the npm registry which have been used to facilitate credential harvesting assaults as a part of an uncommon marketing campaign.
The packages have been collectively downloaded 26,000 occasions, appearing as an infrastructure for a widespread phishing marketing campaign codenamed Beamglea concentrating on greater than 135 industrial, know-how, and power corporations the world over, in line with Socket.
“Whereas the packages’ randomized names make unintended developer set up unlikely, the obtain counts possible embody safety researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure,” safety researcher Kush Pandya stated.
The packages have been discovered to make use of npm’s public registry and unpkg.com’s CDN to host redirect scripts that route victims to credential harvesting pages. Some points of the marketing campaign have been first flagged by Security’s Paul McCarty late final month.
Particularly, the library comes fitted with a Python file named “redirect_generator.py” to programmatically create and publish an npm bundle with the title “redirect-xxxxxx,” the place “x” refers to a random alphanumeric string. The script then injects a sufferer’s electronic mail handle and customized phishing URL into the bundle.
As soon as the bundle is dwell on the npm registry, the “malware” proceeds to create an HTML file with a reference to the UNPKG CDN related to the newly printed bundle (e.g., “unpkg[.]com/[email protected]/beamglea.js”). The menace actor is claimed to be making the most of this habits to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the sufferer to Microsoft credential harvesting pages.
The JavaScript file “beamglea.js” is a redirect script that features the sufferer’s electronic mail handle and the URL to which the sufferer is navigated so as to seize their credentials. Socket stated it discovered greater than 630 HTML recordsdata that masquerade as buy orders, technical specs, or undertaking paperwork.
In different phrases, the npm packages are usually not designed to execute malicious code upon set up. As a substitute, the marketing campaign leverages npm and UNPKG for internet hosting the phishing infrastructure. It is at present not clear how the HTML recordsdata are distributed, though it is doable they’re propagated by way of emails that trick recipients into launching the specifically crafted HTML recordsdata.
“When victims open these HTML recordsdata in a browser, the JavaScript instantly redirects to the phishing area whereas passing the sufferer’s electronic mail handle by way of URL fragment,” Socket stated.
“The phishing web page then pre-fills the e-mail area, making a convincing look that the sufferer is accessing a reputable login portal that already acknowledges them. This pre-filled credential considerably will increase the assault’s success price by lowering sufferer suspicion.”
The findings as soon as once more spotlight the ever-evolving nature of menace actors who’re always adapting their strategies to remain forward of defenders, who’re additionally always growing new strategies to detect them. On this case, it underscores the abuse of reputable infrastructure at scale.
“The npm ecosystem turns into unwitting infrastructure moderately than a direct assault vector,” Pandya stated. “Builders who set up these packages see no malicious habits, however victims opening specifically crafted HTML recordsdata are redirected to phishing websites.”
“By publishing 175 packages throughout 9 accounts and automating victim-specific HTML era, the attackers created a resilient phishing infrastructure that prices nothing to host and leverages trusted CDN providers. The mix of npm’s open registry, unpkg.com’s automated serving, and minimal code creates a reproducible playbook that different menace actors will undertake.”
