Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Lucide Proxy: Turning Student Web Proxies into DDoS Bots

0
Medium
Published: 07/14/2026 (07/14/2026, 16:14:42 UTC)
Source: AlienVault OTX General

Description

A campaign deployed 148 malicious npm packages posing as student web proxy applications under brands like Riverbend Tutoring and Northstar Tutoring. These packages weaponized visitor browsers into DDoS botnets, generating HTTP floods and WebSocket traffic floods using the Wisp protocol. The campaign abused npm as a content delivery network, targeting users who visited proxy instances rather than through traditional dependency infection. During May 2026, attacks generated up to 2GB/s traffic and 10,240 socket connections per second. The campaign affected users primarily in the United States and involved adware and supply chain abuse techniques.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/14/2026, 17:03:33 UTC

Technical Analysis

This campaign involved the deployment of 148 malicious npm packages masquerading as student web proxy applications published by accounts terminal3airport and eerikakirk. These packages functioned as legitimate proxies but secretly executed mutable remote code and high-performance WebSocket traffic generators compatible with the Wisp protocol. The campaign weaponized visitor browsers into distributed denial-of-service (DDoS) botnets that launched HTTP floods and control-plane attacks generating massive traffic and socket connections against target servers. The abuse of npm as a content delivery network allowed the campaign to affect users who accessed proxy instances directly rather than through traditional dependency infections. The campaign was active during a critical two-week period in May 2026, with attacks generating aggregate traffic of 2GB/s and establishing 10,240 socket connections per second. Indicators include multiple malicious domains and hashes. The campaign targeted student users and leveraged browser-based attacks, adware, and supply chain abuse techniques.

Potential Impact

The campaign weaponized browsers of users visiting malicious student proxy applications to create large-scale DDoS botnets capable of generating HTTP floods and WebSocket floods, resulting in significant volumetric and connection-based denial-of-service attacks against targeted servers. This could disrupt availability of targeted services and infrastructure. The abuse of npm as a content delivery network means that users were affected by visiting proxy instances rather than traditional software dependency infections. The campaign also generated advertising revenue for the attackers, indicating a financial motive alongside disruption. The impact was geographically noted in the United States.

Mitigation Recommendations

No official patch or fix is available as this is a campaign abusing npm packages rather than a software vulnerability. Mitigation involves avoiding use of suspicious or untrusted student web proxy npm packages, verifying package authenticity before use, and monitoring for indicators of compromise such as the listed malicious domains and hashes. Users and organizations should be cautious about proxy services and npm packages from unverified sources. Since the campaign abuses browser execution, restricting or monitoring browser-based proxy usage may help. Check vendor advisories and npm security notices for updates or removals of malicious packages.

Affected Countries

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://research.jfrog.com/post/lucide-proxy-npm-malware-campaign"]
Adversary
null
Pulse Id
6a5660720f790923b2946df9
Threat Score
null

Indicators of Compromise

Domain

ValueDescriptionCopy
domain21baseballacademy.com
domainlucideon.top
domainc.vipersfutbol.com
domaincdn.caan.edu
domaincdn.conditionfuneral.com

Hash

ValueDescriptionCopy
hash0a913561831bdf2c26dcf18b852b5cc1
hashc6851a038da578a80eeb201e0588c84c
hash10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75
hash4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd
hasheb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84

Threat ID: 6a56682768715ace43dcef0c

Added to database: 07/14/2026, 16:47:35 UTC

Last enriched: 07/14/2026, 17:03:33 UTC

Last updated: 07/15/2026, 04:42:29 UTC

Views: 12

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses