What happened
Security researchers have uncovered a coordinated campaign in which 27 malicious npm packages were uploaded to the npm registry and repurposed as phishing infrastructure to capture login credentials. These packages, published under six different publisher aliases, host browser‑served lures that imitate trusted services like document sharing and Microsoft sign‑in pages. When victims interact with these lures, they are redirected to attacker‑controlled login forms designed to harvest credentials.Â
Who is affected
The activity has targeted employees, particularly sales and commercial personnel, at organizations in manufacturing, industrial automation, plastics, healthcare, and related sectors within the U.S. and allied countries. The malicious code did not require users to install the npm packages; instead, attackers used the npm CDN as a resilient platform for deploying phishing assets.Â
Why CISOs should care
This campaign highlights how software development infrastructure and open source ecosystems can be abused beyond traditional supply‑chain tactics. Even non‑installed packages can serve as persistent delivery mechanisms for phishing content that defeats conventional security controls by leveraging trusted CDNs. The incident underscores the need for security teams to extend monitoring beyond code use to how package hosting services may be exploited as malicious hosting platforms.Â
3 practical actions:
- Monitor npm CDN traffic: Inspect and block requests to known malicious npm CDN endpoints and domains hosting phishing content to reduce exposure to attacker infrastructure.
- Strengthen phishing defenses: Integrate URL inspection and content analysis for links served from development ecosystems, including npm, to catch hidden phishing attempts.
- Employee awareness training: Educate staff on identifying atypical sign‑in pages and social engineering lures, particularly those mimicking internal or trusted third-party tools.