175 Malicious npm Packages With 26,000 Downloads Attacking Technology, and Energy Companies Worldwide


Socket’s Threat Research Team has uncovered a sophisticated phishing campaign involving 175 malicious npm packages that collectively accumulated over 26,000 downloads.

The campaign, dubbed “Beamglea” based on consistent artifacts across all packages, represents a novel abuse of npm’s public registry and the unpkg.com CDN to host redirect scripts targeting 135+ industrial, technology, and energy companies worldwide.

The packages themselves don’t execute malicious code during installation, making them particularly insidious as they exploit the npm ecosystem as free hosting infrastructure for credential harvesting operations.

Credential phishing pages (Source – Socket.dev)

While the packages’ randomized names following the pattern redirect-[a-z0-9]{6} make accidental developer installation unlikely, the substantial download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure.

The threat actors developed comprehensive Python tooling to automate the entire campaign, enabling them to create victim-specific HTML phishing lures themed as purchase orders and project documents.

The origin and meaning of “beamglea” remains unclear, though it may represent a codename or inside reference used by the attackers.

google

Socket.dev analysts identified the campaign as part of their routine scanning operations, building on initial findings by Paul McCarty at Safety who first discovered the phishing infrastructure on September 24, 2025.

The researchers noted that most packages associated with this campaign remain live at the time of writing, prompting immediate petitions for their removal from the npm registry alongside suspension of the threat actors’ accounts.

The campaign demonstrates remarkable sophistication in its technical implementation, representing a concerning evolution in supply chain abuse techniques.

Prior to this disclosure, the term “beamglea” had virtually no online presence, making it an effective tracking identifier for this specific operation targeting organizations across multiple critical infrastructure sectors.

Automated Package Generation Infrastructure

The threat actors developed sophisticated Python automation to streamline their operations, utilizing redirect_generator.py scripts and PyInstaller-compiled executables for ease of deployment.

The automation process demonstrates professional-level operational security planning and systematic victim targeting capabilities.

The core automation takes three inputs: a JavaScript template file named beamglea_template.js, the victim’s email address, and the destination phishing URL.

The system then processes these components through a five-step workflow that begins with npm authentication verification and proceeds through template processing, package creation, publication, and HTML lure generation.

The random package name generation function creates unique identifiers using a six-character suffix of lowercase letters and numbers, ensuring each campaign remains distinct while following the recognizable redirect- prefix pattern.

The JavaScript payload embedded in each package remains remarkably simple yet effective. Each beamglea.js file contains a processAndRedirect() function that appends the victim’s email as a URL fragment, leveraging the fact that fragments appear after the # symbol and don’t appear in standard server access logs.

This technique creates an appearance of legitimacy when phishing pages pre-fill login forms with the victim’s email address.

def generate_random_package_name(prefix="redirect-"):
    # Generates random 6-character suffix
    suffix = ''.join(random.choices(string.ascii_lowercase + string. Digits, k=6))
    return prefix + suffix

# Template processing replaces placeholders with victim-specific data
template_js = load_template('beamglea_template.js')
final_js = template_js.replace("{{EMAIL}}", email).replace("{{URL}}", redirect_url)
with open("beamglea.js", "w", encoding="utf-8") as f:
    f.write(final_js)

The automation generates HTML lures with specific business document themes designed to bypass suspicion, utilizing filenames that mimic legitimate purchase orders, technical specifications, and project documents.

All HTML files contain the campaign identifier nb830r6x in their meta tags, providing consistent tracking across the 630+ generated lures distributed across the 175 packages.

Follow us on Google News, LinkedIn, and X to Get More Instant UpdatesSet CSN as a Preferred Source in Google.

googlenews



Source link

About Cybernoz

Security researcher and threat analyst with expertise in malware analysis and incident response.