A new cybersecurity investigation has uncovered a large campaign involving 148 malicious npm packages that pretended to be harmless student web proxy tools. Security researchers at JFrog found that these packages were not designed to attack developers who downloaded them. Instead, they targeted students and other users who opened the proxy websites, secretly turning their browsers into part of a Distributed Denial-of-Service (DDoS) botnet without their knowledge. This activity remained active for nearly two weeks during May 2026.

npm-logo-malicious-package-ddos-botnet-browser-attack

The fake packages were published under different names and promoted as student proxy services that could bypass school internet restrictions. They appeared to work normally by allowing access to blocked websites and online games, making them seem completely legitimate. Behind the scenes, however, the websites loaded hidden malicious code into visitors’ browsers. Anyone using these proxy sites unknowingly became part of a network used to launch cyberattacks.

Unlike many software supply chain attacks, this campaign did not execute malicious code when the npm package was installed. The attackers used the npm registry only to host the fake proxy applications. The harmful code became active only after someone visited the proxy website in a web browser. This allowed the campaign to avoid many traditional security tools that mainly scan packages for threats during installation.

github-remote-script-loader-malicious-code-browser-botnet

JFrog discovered that the proxy applications included a remote script loader connected to a GitHub repository through a content delivery network. Because the loader pointed to a changeable branch instead of a fixed version, the attackers could update the malicious code whenever they wanted without publishing a new package. This gave them continuous control over the browsers of people visiting the proxy websites.

Researchers also found two different attack methods hidden inside the campaign. One generated a continuous stream of HTTP requests that could overwhelm a target server with traffic. The second opened multiple WebSocket connections using the Wisp protocol, forcing remote servers to create and close thousands of connections every second. This consumed server resources and could make affected services unstable or unavailable.

clear-browser-cache-security-cleanup-after-malware

The investigation showed that the campaign first appeared as adware before evolving into a more dangerous operation. During mid-May, the attackers added the remote loader and DDoS features. Later, after security researchers began investigating the activity, they removed the visible attack modules from newer versions. However, because the remote loader remained in place, the operators still had the ability to reactivate malicious functions whenever they wanted.

Most of the malicious npm packages have now been removed from the npm registry and replaced with security placeholder packages. However, researchers noted that some versions were still available when the investigation was published. JFrog advised organizations, especially schools and businesses where these proxy tools are commonly used, to block the campaign’s related domains, remove the affected packages from development environments, and clear browser cache, local storage, and any service workers left behind by the fake proxy websites.

browser-security-web-application-protection-cybersecurity

This incident highlights a growing change in cybercriminal tactics. Instead of attacking software developers directly, the attackers targeted ordinary web users through browser-based applications hosted on trusted platforms. Because the malicious code was activated only after the websites were opened, many existing security defenses were unable to detect it. The research serves as an important reminder that even trusted software repositories can be abused, making continuous monitoring and browser security just as important as protecting software development environments.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news