Researchers disclosed a sophisticated spear-phishing campaign involving 27 malicious npm packages uploaded from six different aliases to the npm registry. Instead of traditional malware delivery, these packages are used as hosting infrastructure for client-side phishing lures that impersonate trusted document-sharing portals and Microsoft sign-in pages. The packages deliver obfuscated and minified JavaScript and HTML that execute in the victim’s browser, redirecting them to credential harvesting pages with pre-filled email addresses. The campaign targets sales and commercial staff in critical infrastructure-adjacent sectors such as manufacturing, industrial automation, plastics, and healthcare, focusing on regional sales teams rather than just corporate IT. The attackers use npm’s CDN to host phishing content, which provides resilience against takedown and allows easy switching between aliases and package names. Anti-analysis techniques include filtering out bots and sandboxes, requiring user interaction, and deploying honeypot form fields to trap automated crawlers. The infrastructure overlaps with Evilginx-based adversary-in-the-middle phishing kits, indicating advanced phishing capabilities. The attackers likely gathered targeted email addresses from trade show attendee lists and open-source reconnaissance. This campaign is distinct from a previous large-scale npm-based credential theft campaign (Beamglea) but follows a similar playbook with enhanced delivery mechanics. The threat highlights the abuse of legitimate software supply chain platforms for phishing infrastructure and the increasing sophistication of supply chain and credential theft attacks. Researchers recommend enforcing strict dependency verification, monitoring for anomalous CDN requests, deploying phishing-resistant MFA, and monitoring suspicious post-authentication events to mitigate risk.

European organizations, especially those in manufacturing, industrial automation, plastics, polymer supply chains, and healthcare, face elevated risk of credential compromise leading to unauthorized access to sensitive systems and data. Compromised credentials of sales and commercial personnel could facilitate lateral movement, espionage, fraud, or supply chain disruption. The use of npm’s CDN for phishing infrastructure complicates detection and takedown, increasing the campaign’s persistence and reach. Targeted credential theft can undermine trust in software supply chains and increase the likelihood of follow-on attacks such as business email compromise or ransomware. The focus on regional sales and country managers means that even organizations with strong corporate IT defenses may be vulnerable through less-protected commercial teams. The campaign’s resilience and anti-analysis techniques increase the difficulty of incident response and attribution. Overall, the threat could disrupt critical supply chains and healthcare services, impacting economic stability and public safety in Europe.

1. Implement strict dependency verification processes to ensure only trusted npm packages are used, including scanning for malicious or suspicious packages before integration. 2. Monitor CDN traffic logs for unusual or unexpected requests originating outside typical development or deployment contexts, which may indicate abuse of package CDNs for phishing infrastructure. 3. Enforce phishing-resistant multi-factor authentication (MFA) methods such as hardware security keys (FIDO2/WebAuthn) rather than SMS or app-based OTPs to reduce the risk of credential theft leading to account compromise. 4. Conduct targeted phishing awareness training for sales and commercial personnel, emphasizing the risk of credential harvesting via document-sharing and sign-in impersonation. 5. Deploy advanced endpoint detection and response (EDR) solutions capable of detecting obfuscated JavaScript execution and anomalous browser behaviors. 6. Monitor for suspicious post-authentication activities, such as unusual access patterns or privilege escalations, to detect potential misuse of stolen credentials. 7. Collaborate with npm and other package registries to report and expedite takedown of malicious packages and aliases. 8. Restrict use of third-party packages in production environments unless thoroughly vetted and approved. 9. Use network segmentation to limit access from commercial teams to critical infrastructure systems. 10. Regularly review and update incident response plans to address supply chain and phishing threats leveraging software distribution platforms.