175 Malicious npm Packages Targeting Tech and Energy Firms, 26,000 Downloads


Socket’s Threat Research Team has uncovered a sprawling phishing campaign—dubbed “Beamglea”—leveraging 175 malicious npm packages that have amassed over 26,000 downloads.

These packages serve solely as hosting infrastructure, redirecting victims to credential-harvesting pages.

Though randomly named packages make accidental developer installation unlikely, the download counts reflect security researchers, automated scanners, and CDN providers probing the registry post-disclosure.

Targets include more than 135 industrial, technology, and energy companies across Western Europe, the Nordics, and Asia-Pacific.

Rather than executing code at install time, each malicious package exploits npm’s public registry and unpkg.com’s CDN to host redirect scripts.

After publishing packages named with the pattern redirect-[a-z0-9]{6}, threat actors rely on unpkg.com to automatically serve assets over HTTPS.

Victims receive HTML lures themed as purchase orders or project documents—likely via phishing emails—with embedded