27 Malicious Npm Packages Used As Phishing Infrastructure To Steal...
Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft.
The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations, according to Socket.
"A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft," researchers Nicholas Anderson and Kirill Boychenko said.
Rather than requiring users to install the packages, the end goal of the campaign is to repurpose npm and package content delivery networks (CDNs) as hosting infrastructure, using them to deliver client-side HTML and JavaScript lures impersonating secure document-sharing that are embedded directly in phishing pages, following which victims are redirected to Microsoft sign-in pages with the email address pre-filled in the form.
The use of package CDNs offers several benefits, the foremost being the ability to turn a legitimate distribution service into infrastructure that's resilient to takedowns. In addition, it makes it easy for attackers to switch to other publisher aliases and package names, even if the libraries are pulled.
The packages have been found to incorporate various checks on the client side to challenge analysis efforts, including filtering out bots, evading sandboxes, and requiring mouse or touch input before taking the victims to threat-actor-controlled credential harvesting infrastructure. The JavaScript code is also obfuscated or heavily minified to make automated inspection more difficult.
Another crucial anti-analysis control adopted by the threat actor relates to the use of honeypot form fields that are hidden from view for real users, but are likely to be populated by crawlers. This step acts as a second layer of defense, preventing the attack from proceeding further.
Socket said the domains packed into these packages overlap with adversary-in-the-middle (AitM) phishing infrastructure associated with Evilginx, an open-source phishing kit.
This is not the first time npm has been transformed into phishing infrastructure. Back in October 2025, the so
Source: The Hacker News
