Security researchers have uncovered a large-scale phishing campaign that used the npm ecosystem to host and distribute malicious code. A total of 175 npm packages were found to be part of the operation, with over 26,000 combined downloads. These packages were designed to redirect users to fake login pages that could steal their credentials. The campaign has been named “Beamglea” by researchers.
The malicious packages were uploaded to npm’s public registry and used together with the unpkg CDN service. Instead of directly infecting systems, these packages acted as redirect tools that sent users from harmless-looking HTML files to phishing websites. The attackers took advantage of how unpkg automatically serves any public npm package over HTTPS, making their scripts easily accessible.
The attack began when the threat actors published npm packages with random names such as “redirect-xxxxx.” Once uploaded, these packages became instantly available on unpkg. The attackers then created fake HTML lure files, often disguised as invoices or business documents, which loaded these JavaScript files. When victims opened the HTML files, the embedded scripts redirected them to phishing pages that looked like legitimate login portals.
Researchers found more than 630 different HTML lure files and nine npm author accounts connected to this campaign. The attack was highly automated, using tools that could quickly create new npm packages and lure files. The level of organization and automation suggested that this was not a simple phishing attempt but a well-planned operation.
Over 135 organizations were targeted, mostly from the industrial, energy, and technology sectors. The campaign focused mainly on companies in Europe and Asia. In many cases, the phishing pages were customized to display the victim’s email address, making the fake login pages seem more convincing.
What makes this attack especially dangerous is its use of trusted infrastructure. Since unpkg and npm are widely used by developers worldwide, the attackers didn’t need to host their own servers or domains. This allowed their malicious scripts to appear more legitimate and harder for security systems to block.
Although these npm packages didn’t contain harmful code during installation, they played a key role in delivering phishing attacks. It remains unclear how the HTML lure files reached the victims, but they were likely distributed through phishing emails or shared files. Once opened, the redirect happened automatically, leading victims to credential-stealing sites.
Experts advise developers and organizations to stay alert and monitor their systems for unusual activity. Users should avoid opening unknown HTML files, especially those containing external scripts. Security teams are encouraged to rotate access keys, enforce multi-factor authentication, and monitor network traffic for suspicious redirect patterns. This case shows how attackers are finding new ways to misuse trusted developer tools for phishing campaigns.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
