Lucide Proxy: Turning Student Web Proxies into DDoS Bots
A campaign deployed 148 malicious npm packages posing as student web proxy applications under brands like Riverbend Tutoring and Northstar Tutoring. These packages weaponized visitor browsers into DDoS botnets, generating HTTP floods and WebSocket traffic floods using the Wisp protocol. The campaign abused npm as a content delivery network, targeting users who visited proxy instances rather than through traditional dependency infection. During May 2026, attacks generated up to 2GB/s traffic and 10,240 socket connections per second. The campaign affected users primarily in the United States and involved adware and supply chain abuse techniques.
AI Analysis
Technical Summary
This campaign involved the deployment of 148 malicious npm packages masquerading as student web proxy applications published by accounts terminal3airport and eerikakirk. These packages functioned as legitimate proxies but secretly executed mutable remote code and high-performance WebSocket traffic generators compatible with the Wisp protocol. The campaign weaponized visitor browsers into distributed denial-of-service (DDoS) botnets that launched HTTP floods and control-plane attacks generating massive traffic and socket connections against target servers. The abuse of npm as a content delivery network allowed the campaign to affect users who accessed proxy instances directly rather than through traditional dependency infections. The campaign was active during a critical two-week period in May 2026, with attacks generating aggregate traffic of 2GB/s and establishing 10,240 socket connections per second. Indicators include multiple malicious domains and hashes. The campaign targeted student users and leveraged browser-based attacks, adware, and supply chain abuse techniques.
Potential Impact
The campaign weaponized browsers of users visiting malicious student proxy applications to create large-scale DDoS botnets capable of generating HTTP floods and WebSocket floods, resulting in significant volumetric and connection-based denial-of-service attacks against targeted servers. This could disrupt availability of targeted services and infrastructure. The abuse of npm as a content delivery network means that users were affected by visiting proxy instances rather than traditional software dependency infections. The campaign also generated advertising revenue for the attackers, indicating a financial motive alongside disruption. The impact was geographically noted in the United States.
Mitigation Recommendations
No official patch or fix is available as this is a campaign abusing npm packages rather than a software vulnerability. Mitigation involves avoiding use of suspicious or untrusted student web proxy npm packages, verifying package authenticity before use, and monitoring for indicators of compromise such as the listed malicious domains and hashes. Users and organizations should be cautious about proxy services and npm packages from unverified sources. Since the campaign abuses browser execution, restricting or monitoring browser-based proxy usage may help. Check vendor advisories and npm security notices for updates or removals of malicious packages.
Affected Countries
United States
Indicators of Compromise
- domain: 21baseballacademy.com
- hash: 0a913561831bdf2c26dcf18b852b5cc1
- hash: c6851a038da578a80eeb201e0588c84c
- hash: 10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75
- hash: 4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd
- hash: eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84
- domain: lucideon.top
- domain: c.vipersfutbol.com
- domain: cdn.caan.edu
- domain: cdn.conditionfuneral.com
Lucide Proxy: Turning Student Web Proxies into DDoS Bots
Description
A campaign deployed 148 malicious npm packages posing as student web proxy applications under brands like Riverbend Tutoring and Northstar Tutoring. These packages weaponized visitor browsers into DDoS botnets, generating HTTP floods and WebSocket traffic floods using the Wisp protocol. The campaign abused npm as a content delivery network, targeting users who visited proxy instances rather than through traditional dependency infection. During May 2026, attacks generated up to 2GB/s traffic and 10,240 socket connections per second. The campaign affected users primarily in the United States and involved adware and supply chain abuse techniques.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign involved the deployment of 148 malicious npm packages masquerading as student web proxy applications published by accounts terminal3airport and eerikakirk. These packages functioned as legitimate proxies but secretly executed mutable remote code and high-performance WebSocket traffic generators compatible with the Wisp protocol. The campaign weaponized visitor browsers into distributed denial-of-service (DDoS) botnets that launched HTTP floods and control-plane attacks generating massive traffic and socket connections against target servers. The abuse of npm as a content delivery network allowed the campaign to affect users who accessed proxy instances directly rather than through traditional dependency infections. The campaign was active during a critical two-week period in May 2026, with attacks generating aggregate traffic of 2GB/s and establishing 10,240 socket connections per second. Indicators include multiple malicious domains and hashes. The campaign targeted student users and leveraged browser-based attacks, adware, and supply chain abuse techniques.
Potential Impact
The campaign weaponized browsers of users visiting malicious student proxy applications to create large-scale DDoS botnets capable of generating HTTP floods and WebSocket floods, resulting in significant volumetric and connection-based denial-of-service attacks against targeted servers. This could disrupt availability of targeted services and infrastructure. The abuse of npm as a content delivery network means that users were affected by visiting proxy instances rather than traditional software dependency infections. The campaign also generated advertising revenue for the attackers, indicating a financial motive alongside disruption. The impact was geographically noted in the United States.
Mitigation Recommendations
No official patch or fix is available as this is a campaign abusing npm packages rather than a software vulnerability. Mitigation involves avoiding use of suspicious or untrusted student web proxy npm packages, verifying package authenticity before use, and monitoring for indicators of compromise such as the listed malicious domains and hashes. Users and organizations should be cautious about proxy services and npm packages from unverified sources. Since the campaign abuses browser execution, restricting or monitoring browser-based proxy usage may help. Check vendor advisories and npm security notices for updates or removals of malicious packages.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://research.jfrog.com/post/lucide-proxy-npm-malware-campaign"]
- Adversary
- null
- Pulse Id
- 6a5660720f790923b2946df9
- Threat Score
- null
Indicators of Compromise
Domain
| Value | Description | Copy |
|---|---|---|
domain21baseballacademy.com | — | |
domainlucideon.top | — | |
domainc.vipersfutbol.com | — | |
domaincdn.caan.edu | — | |
domaincdn.conditionfuneral.com | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash0a913561831bdf2c26dcf18b852b5cc1 | — | |
hashc6851a038da578a80eeb201e0588c84c | — | |
hash10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75 | — | |
hash4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd | — | |
hasheb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84 | — |
Threat ID: 6a56682768715ace43dcef0c
Added to database: 07/14/2026, 16:47:35 UTC
Last enriched: 07/14/2026, 17:03:33 UTC
Last updated: 07/15/2026, 04:42:29 UTC
Views: 12
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.