Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
npm Packages Exploited to Form DDoS Botnet

npm Packages Exploited to Form DDoS Botnet

Posted on July 14, 2026 By CWS

In May, a set of 148 npm packages masquerading as student web proxies were utilized to transform browsers into a distributed denial-of-service (DDoS) botnet, according to a recent study by JFrog. This campaign exploited the npm registry to host compromised proxy sites, leveraging students who bypassed school web filters to generate attack traffic.

Exploitation of Npm Packages

These malicious packages, branded with names such as charlie-kirk and ilovefemboys, included a proxy app called ‘Lucide.’ Outwardly, they functioned as web proxies to help students access blocked content. However, in the background, a remote code loader and a WebSocket flood generator targeting the Wisp protocol were activated, turning unsuspecting browsers into a botnet.

Unlike typical threats that activate upon installation, these packages did not contain lifecycle hooks or native build scripts, and remained dormant until a page was opened in a browser. This approach bypassed traditional build pipelines, posing a unique challenge to developers and network administrators.

Technical Insights and Impact

The operation was initially misclassified as adware and registry abuse by SafeDep in May, but JFrog’s deeper analysis revealed a more sophisticated campaign. They unraveled a complex script, over 20,600 lines long, from a singular JavaScript line. This script executed a two-pronged DDoS attack, utilizing both an HTTP flood and a WebSocket-based method targeting the Wisp protocol.

The HTTP flood generated excessive traffic directed at a legitimate domain, while the WebSocket attack established numerous connections to a server, overwhelming it with requests. These actions exploited the wisp-server-node’s vulnerabilities, causing resource exhaustion and server instability.

Response and Future Implications

In response to this threat, many of the compromised packages were removed from npm, replaced with security placeholders. JFrog advises network administrators to block the associated domains and clear any residual browser caches. The potential for reactivation remains, as the malicious code can be re-enabled with minimal effort.

This incident highlights the ongoing risks associated with public code repositories being used as free content delivery networks. It underscores the need for enhanced security measures and vigilance within the software development community to prevent similar exploits in the future.

As the situation develops, The Hacker News is in contact with JFrog to gather further insights into the botnet’s scale and the specifics of the WebSocket attack.

The Hacker News Tags:Botnet, Cybersecurity, DDoS, GitHub, Hacking, JavaScript, JFrog, network security, NPM, Security, Software, Vulnerability, web proxies, Wisp protocol

Post navigation

Previous Post: Jscrambler Packages Compromised in Supply Chain Breach
Next Post: Valarian Secures $50M for Innovative Infrastructure Layer

Related Posts

ShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent ShadowLeak Zero-Click Flaw Leaks Gmail Data via OpenAI ChatGPT Deep Research Agent The Hacker News
Cybersecurity Threats: SMS Blaster, OpenEMR, and Roblox Hacks Cybersecurity Threats: SMS Blaster, OpenEMR, and Roblox Hacks The Hacker News
North Korea-Linked Hackers Target Developers via Malicious VS Code Projects North Korea-Linked Hackers Target Developers via Malicious VS Code Projects The Hacker News
Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams Zero-Day Exploits, Developer Malware, IoT Botnets, and AI-Powered Scams The Hacker News
Why Critical Infrastructure Needs Stronger Security Why Critical Infrastructure Needs Stronger Security The Hacker News
ShinyHunters Exploit Oracle Zero-Day to Target Universities ShinyHunters Exploit Oracle Zero-Day to Target Universities The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver
  • Valarian Secures $50M for Innovative Infrastructure Layer
  • npm Packages Exploited to Form DDoS Botnet

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • UK Issues Alert on Russian Cyber Threats to Networks
  • SAP Addresses Major Security Flaws in NetWeaver and More
  • Canadian Cybersecurity Leaders Shine at Web Summit Vancouver
  • Valarian Secures $50M for Innovative Infrastructure Layer
  • npm Packages Exploited to Form DDoS Botnet

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark