Cybersecurity researchers have revealed details of what they say is a “persistent and targeted” spear-phishing campaign that published more than 20 packages in the npm registry to facilitate credential theft.
According to Socket, the activity uploaded 27 npm packages from six different npm aliases and primarily targeted sales and sales personnel at organizations adjacent to critical infrastructure in the United States and allied countries.
“Five months of operation turned 27 npm packages into durable hosting for document-sharing portals and browser-running lures that mimic Microsoft sign-in, targeting 25 organizations in manufacturing, industrial automation, plastics, and healthcare for credential theft,” researchers Nicholas Anderson and Kirill Boychenko said in a statement.
The names of the packages are listed below –
- Adryl 7123
- Ardryl 712
- arrdril712
- android voice
- rich in assets
- deprivation
- confirmation
- Realization
- error
- elucidation
- hgfiuythdjfhgff
- Homielsula
- Whimlog 22
- iuythdjfghgff
- iuythdjfhgff
- iuythdjfhgffdf
- iuythdjfhgffs
- iuythdjfhgffyg
- jwoiesk11
- module 9382
- onedrive-verification
- Sir Drill 712
- scriptstellium 11
- Secure document app
- sync 365
- Ferrous
- vamp rail
The ultimate goal of this campaign is to repurpose npm and package content delivery networks (CDNs) as hosting infrastructure, rather than requiring users to install packages, and use them to deliver client-side HTML and JavaScript lures that disguise secure document sharing embedded directly in phishing pages. Victims are then redirected to a Microsoft sign-in page with the email address pre-filled in the form.
There are several advantages to using a package CDN. Its biggest advantage is that it can transform legitimate distribution services into takedown-resistant infrastructure. Furthermore, even if the library is pulled, an attacker can easily switch to another publisher’s alias or package name.
The package has been found to include various client-side checks to challenge analytical efforts, such as bot filtering, sandbox evasion, and requiring mouse or touch input before directing victims to threat actor-controlled credential harvesting infrastructure. JavaScript code is also obfuscated or significantly reduced to make automated inspection more difficult.
Another important anti-analysis control employed by threat actors relates to the use of honeypot form fields that are not visible to actual users but are likely to be filled in by crawlers. This step acts as a second layer of defense and prevents the attack from progressing further.
Socket said the domains packed into these packages overlap with man-in-the-middle (AitM) phishing infrastructure associated with the open source phishing kit Evilginx.
This isn’t the first time npm has been transformed into a phishing infrastructure. Back in October 2025, a software supply chain security firm detailed a campaign called Beamglea in which an unknown attacker uploaded 175 malicious packages for a credential harvesting attack. The latest attack wave is assessed to be different from Beamglea.
“This campaign follows the same core strategy but has a different delivery mechanism,” Socket said. “Instead of shipping a minimal redirect script, these packages provide a self-contained phishing flow that runs in the browser as an embedded HTML and JavaScript bundle that executes when loaded into the page context.”
In addition, the phishing package was found to hardcode 25 email addresses associated with specific individuals working as account managers, sales representatives, and business development representatives in the manufacturing, industrial automation, plastics and polymer supply chain, and healthcare sectors in Austria, Belgium, Canada, France, Germany, Italy, Portugal, Spain, Sweden, Taiwan, Turkey, the United Kingdom, and the United States.
It is currently unknown how the attacker obtained the email address. However, given that many of the targeted companies are clustered at major international trade shows such as Interpack and K-Fair, we suspect the attackers may have pulled information from these sites and combined it with general open web reconnaissance.
“In some cases, the target location is different from the company’s headquarters. This is consistent with attackers focusing on regional sales staff, country managers, and local sales teams, rather than just the company’s IT,” the company said.
To counter the risk posed by this threat, it is essential to enforce strict dependency validation, log anomalous CDN requests from non-development contexts, enforce phishing-resistant multi-factor authentication (MFA), and monitor for suspicious post-authentication events.
This development comes after Sockets observed a steady rise in destructive malware across npm, PyPI, NuGet Gallery, and Go module indexes using techniques such as deferred execution and remote-controlled kill switches to evade early detection and obtain executable code at runtime using standard tools such as wget and curl.
“These packages tend to operate surgically rather than encrypting disks or destroying files indiscriminately,” researcher Kush Pandya said.
“We only remove what’s important to developers: Git repositories, source directories, configuration files, and CI build output. We often embed this logic in other functional code paths and rely on standard lifecycle hooks for execution, which means the malware may not need to be explicitly imported or called by the application itself.”
