Cybersecurity researchers have uncovered a phishing campaign that abused the npm package registry to steal login credentials. The operation involved 27 malicious npm packages created specifically for phishing purposes. These packages were not designed to provide useful code to developers. Instead, they were used as hosting infrastructure for credential-stealing pages.
The campaign remained active for nearly five months before being fully identified. During this time, attackers created multiple npm accounts to publish the malicious packages. The packages were carefully named to appear legitimate and harmless. Their low download counts helped them avoid early detection.
Rather than targeting developers directly, the attackers used npm’s infrastructure to host phishing pages. Victims who clicked phishing links were redirected to web content served through these npm packages. The hosted pages impersonated trusted services such as document-sharing portals and Microsoft login pages. This made the attack appear credible to users.
Once victims reached the phishing pages, the attack flow was designed to build trust. In many cases, email addresses were pre-filled on the fake login forms. This made the pages look personalized and legitimate. When victims entered their passwords, the credentials were silently collected by the attackers.
Researchers found that the campaign mainly targeted employees in organizational and commercial roles. Industries of interest included manufacturing, industrial automation, healthcare, and plastics. Many of the targeted individuals were based in the United States and allied countries. This indicates a focus on corporate credentials rather than personal accounts.
The 27 malicious npm packages included names such as adril7123, assetslush, onedrive-verification, secure-docs-app, sync365, and vampuleerl. These names were chosen to resemble real services or internal tools. The packages were not intended to be installed as dependencies. Their primary purpose was to host phishing content.
Unlike traditional npm supply-chain attacks, this campaign did not rely on malicious code execution. Developers did not need to install the packages for the attack to work. Instead, npm was misused as a trusted web hosting platform. This allowed the phishing pages to run directly in users’ browsers.
Security experts warn that abusing trusted platforms makes phishing attacks harder to detect. Users and security systems may be less suspicious of content hosted on well-known services. Organizations are advised to strengthen phishing awareness, monitor suspicious package activity, and enforce multi-factor authentication. The incident highlights how trusted ecosystems can still be exploited by attackers.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
