Researchers say attackers used trusted developer platforms to host browser-based phishing lures.
Security researchers disclosed a spear phishing campaign that abused the npm registry, a public repository for JavaScript packages, by publishing 27 malicious packages. While npm packages are typically software components that developers install and reuse, these were created solely to host phishing content rather than provide any legitimate functionality. According to reporting by The Hacker News, the packages were uploaded over several months from multiple npm aliases and served HTML and JavaScript pages that impersonated document sharing portals and Microsoft sign-in pages. Victims were redirected into credential harvesting flows with pre-filled email addresses, allowing attackers to capture login details without distributing traditional malware.
Instead of relying on direct phishing domains, the attackers repurposed npm package content delivery networks to host their lures, which made the infrastructure harder to disrupt. The malicious packages included client-side checks to block automated analysis, such as filtering bots, avoiding sandboxes, and requiring mouse or touch interaction before continuing. Researchers also found hidden form fields meant to trap crawlers and prevent security scanners from advancing the attack flow. Some of the embedded domains overlapped with the adversary in the middle phishing infrastructure linked to Evilginx, suggesting the campaign was built to capture credentials and session material rather than simple passwords.
Researchers said the campaign targeted sales and commercial staff at organizations tied to manufacturing, industrial automation, plastics, and healthcare across multiple countries. They noted that the packages hard-coded specific email addresses associated with individual employees, which indicates a focused approach rather than broad spam distribution. The researchers also said the activity followed patterns seen in earlier npm abuse campaigns but differed in how the phishing logic was fully embedded within browser-executed code delivered through package CDNs.
According to WebProNews, the malicious npm packages tied to this campaign are part of a longer-running pattern rather than a one-off abuse. In October 2025, security teams uncovered a related operation known as “Beamglea,” which involved 175 npm packages designed to steal credentials. Software supply chain experts say these incidents show how easily attackers can exploit open-source registries, where publishing code requires little oversight. In the latest case, the packages did not deploy malware directly on users’ systems. Instead, they used npm’s own infrastructure to host static phishing pages, a tactic that makes the activity harder to spot because it avoids behaviors that traditional antivirus tools are designed to detect.
Trusted developer platforms provide resilient hosting, benefit from an established reputation, and are less likely to be blocked by default security controls.
No. The packages were used to host web content that runs in the browser, so victims only needed to visit a phishing page that loaded the malicious resources.
CDN traffic from well-known platforms often appears legitimate, and client-side checks can prevent sandboxes or scanners from seeing the full phishing flow.
Researchers identified sales, account management, and business development staff in sectors tied to manufacturing, healthcare, and industrial supply chains.
They can monitor unexpected CDN traffic, restrict access to developer resources from non-development systems, enforce phishing-resistant authentication, and review dependency usage policies.