Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

At Starbase, SpaceX is doing its own firefighting.

Chinese hackers have been exploiting ArcGIS Server as a backdoor for over a year

FleetWorks raises $17 million to match truck drivers with freight faster

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » 175 malicious npm packages with 26,000 downloads used in credential phishing campaign
Identity

175 malicious npm packages with 26,000 downloads used in credential phishing campaign

userBy userOctober 10, 2025No Comments3 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

October 10, 2025Ravi LakshmananCybercrime/Malware

Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that were used to facilitate credential harvesting attacks as part of an unusual campaign.

According to Socket, these packages were downloaded a total of 26,000 times and serve as the infrastructure for a widespread phishing campaign codenamed “Beamglea” that targeted more than 135 industrial, technology, and energy companies around the world.

“Since the names of the packages are randomized, it is unlikely that developers will accidentally install them, but the download count is likely to include security researchers, automated scanners, and CDN infrastructure that analyze the packages after publication,” said security researcher Kush Pandya.

This package is known to host a redirect script that uses npm’s public registry and unpkg.com’s CDN to route victims to a credential collection page. Some aspects of the campaign were first flagged by safety Paul McCarty late last month.

DFIR retainer service

Specifically, this library comes with a Python file named “redirect_generator.py” that allows you to programmatically create and publish npm packages named “redirect-xxxxxx”. “x” refers to a random alphanumeric string. The script then inserts the victim’s email address and a custom phishing URL into the package.

Once a package is published on the npm registry, the “malware” begins creating HTML files containing references to the UNPKG CDN associated with the newly published package (e.g. “unpkg”[.]com/redirect-xs13nr@1.0.0/beamglea.js”). The attacker allegedly uses this behavior to distribute an HTML payload that, when opened, loads JavaScript from the UNPKG CDN and redirects the victim to a Microsoft credential harvesting page.

The JavaScript file “beamglea.js” is a redirect script that contains the victim’s email address and the URL the victim should go to to obtain their credentials. Socket said it discovered more than 630 HTML files disguised as purchase orders, technical specifications or project documents.

This means that npm packages are not designed to run malicious code when installed. Instead, the campaign leverages npm and UNPKG to host the phishing infrastructure. It is not currently clear how the HTML file is distributed, but it is possible that the HTML file could be propagated via email that tricks the recipient into launching a specially crafted HTML file.

“When a victim opens these HTML files in a browser, the JavaScript immediately redirects them to the phishing domain, passing the victim’s email address via a URL fragment,” Socket said.

“The phishing page then pre-populates the email field to make it appear as if the victim is accessing a legitimate login portal where they already know themselves. These pre-filled credentials reduce the victim’s suspicions and significantly increase the success rate of the attack.”

CIS build kit

This finding once again highlights the evolving nature of threat actors, who are constantly adapting their techniques to stay ahead of defenders and constantly developing new techniques to detect attackers. This case highlights the large-scale misuse of legitimate infrastructure.

“The npm ecosystem becomes an unconscious infrastructure rather than a direct attack vector,” says Pandya. “While developers who install these packages do not see any malicious behavior, victims who open specially crafted HTML files are redirected to a phishing site.”

“By publishing 175 packages across nine accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that has no hosting costs and leverages a trusted CDN service. The combination of npm’s open registry, unpkg.com’s automated serving, and minimal code creates a reproducible playbook that other threat actors can adopt.”


Source link

#BlockchainIdentity #Cybersecurity #DataProtection #DigitalEthics #DigitalIdentity #Privacy
Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleStart searching for planets similar to Earth
Next Article What is the difference between the top tier platforms?
user
  • Website

Related Posts

Chinese hackers have been exploiting ArcGIS Server as a backdoor for over a year

October 14, 2025

How Threat Hunting Builds Readiness

October 14, 2025

A single 8-byte write shatters AMD’s SEV-SNP Confidential Computing security

October 14, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

At Starbase, SpaceX is doing its own firefighting.

Chinese hackers have been exploiting ArcGIS Server as a backdoor for over a year

FleetWorks raises $17 million to match truck drivers with freight faster

Aquawise unveils AI-powered water quality technology at TechCrunch Disrupt 2025

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

Revolutionize Your Workflow: TwinH Automates Tasks Without Your Presence

FySelf’s TwinH Unlocks 6 Vertical Ecosystems: Your Smart Digital Double for Every Aspect of Life

Beyond the Algorithm: How FySelf’s TwinH and Reinforcement Learning are Reshaping Future Education

Meet Your Digital Double: FySelf Unveils TwinH, the Future of Personalized Online Identity

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.