Cybersecurity researchers have uncovered a sophisticated phishing campaign that weaponizes the NPM ecosystem through an unprecedented attack vector.
Unlike traditional malicious package installations, this operation leverages the trusted unpkg.com CDN to deliver phishing scripts directly through browsers, targeting enterprise employees across 135+ organizations primarily in Europe’s industrial, technology, and energy sectors.
The campaign, discovered in October 2025, represents a dangerous evolution in supply chain attack methodologies.
Threat actors automated the creation of over 175 throwaway NPM packages, each serving as disposable hosting infrastructure for JavaScript code that automatically redirects victims to credential-harvesting websites.
These packages follow specific naming patterns, including the “redirect-[a-z0-9]{6}” scheme and “mad-x.x.x.x.x.x” variants, making them appear legitimate within the NPM registry.
Rather than compromising developers during traditional package installation processes, attackers distribute crafted HTML files disguised as business documents, invoices, and project files.
When victims open these seemingly innocuous files, they trigger a chain reaction that loads malicious scripts from the unpkg.com CDN, exploiting the platform’s automatic availability feature for published packages.
This approach transforms legitimate open-source hosting infrastructure into a phishing mechanism while bypassing conventional security measures.
Snyk analysts identified additional package clusters beyond those initially reported by Socket, revealing the campaign’s extensive scope.
The researchers noted that this attack demonstrates how threat actors are actively exploring new methods to weaponize the open-source ecosystem beyond conventional package-based exploits, representing a significant shift in supply chain compromise strategies.
The malware exhibits sophisticated behavioral characteristics that enhance its stealth and effectiveness.
.webp "New Cyberattack Leverages NPM Ecosystem to Infect Developers While Installing Packages 3")
Security check (Source – Snyk)
Upon execution, the script presents victims with a fake “Cloudflare Security Check” interface, complete with anti-analysis countermeasures designed to evade detection and inspection.
Advanced Evasion and Persistence Mechanisms
The malicious payload incorporates multiple layers of protection against security analysis and detection.
The code implements comprehensive anti-debugging measures through periodic developer tools detection, automatically blanking pages or redirecting when development consoles are accessed.
This functionality operates through size threshold monitoring and console object manipulation:-
const CHECK_INTERVAL = 600;
const SIZE_THRESHOLD = 160;
const REACTION = 'blank';
function sizeCheck() {
return (dw > SIZE_THRESHOLD) || (dh > SIZE_THRESHOLD);
}
function consoleCheck() {
Object.defineProperty(obj, 'id', {
get: function() {
open = true;
return '1';
}
});
console.log(obj);
return open;
}Additionally, the malware disables standard browser inspection capabilities by intercepting keyboard shortcuts and context menu events.
It prevents access to F12 developer tools, Ctrl+Shift+I inspector shortcuts, and Ctrl+U view source functionality through comprehensive event listener implementations.
The script also employs frame-busting techniques, attempting to redirect the top-level window after victims interact with the fake verification checkbox, ensuring maximum impact regardless of the browsing context.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
