Redazione RHC : 15 October 2025 07:19
Attackers are abusing the legitimate npm infrastructure in a new phishing campaign on Beamglea. This time, the malicious packages don’t execute malicious code, but instead exploit the legitimate CDN service unpkg[.]com to show users phishing pages.
At the end of September, security researchers at Safety identified 120 npm packages used in such attacks, but now their number has exceeded 175 , security firm Socket reports.
These packages are designed to attack over 135 organizations in the energy, industrial, and technology sectors. Targets include Algodue, ArcelorMittal, Demag Cranes, D-Link, H2 Systems, Moxa, Piusi, Renishaw, Sasol, Stratasys, and ThyssenKrupp Nucera. The attacks are primarily focused on Western European countries, but some targets are also located in Northern Europe and the Asia-Pacific region.
In total, the packages have been downloaded over 26,000 times, although some of the downloads are believed to have come from cybersecurity researchers, automated scanners, and analysis tools.
Package names contain random six-character strings and follow the pattern “redirect-[a-z0-9]{6}”. Once published to npm, packages are available via the unpkg[.]com HTTPS CDN links.
“Attackers can distribute HTML files disguised as purchase orders and project documents to targeted users. While the exact distribution method is unclear, the business document themes and customization for specific victims suggest distribution via email attachments or phishing links,” Socket notes.
Once the victim opens the malicious HTML file, the malicious JavaScript code from the npm package is loaded into the browser via the unpkg[.]com CDN, and the victim is redirected to a phishing page where they are asked to enter their credentials.
The attackers were also observed using a Python toolkit to automate the campaign: the process checks if the victim is logged in, prompts for their credentials, inserts a phishing email and link into a JavaScript template (beamglea_template.js), generates a package.json file, hosts it as a public package, and creates an HTML file with a link to the npm package via the unpkg[.]com CDN.
“This automation allowed the attackers to create 175 unique packages targeting different organizations without having to manually target each victim,” Socket noted.
According to researchers, the attackers generated over 630 HTML files leading to malicious packages, all containing the campaign ID nb830r6x in the meta tag. The files mimic purchase orders, technical specifications, and design documentation.
“When victims open HTML files in their browser, JavaScript immediately redirects them to the phishing domain, passing the victim’s email address via a URL fragment. The phishing page then automatically fills in the email address field, creating the convincing impression that the victim is accessing a legitimate portal that has already recognized them,” the experts say.
According to researchers at Snyk , other npm packages using the “mad-*” naming scheme exhibit similar behavior, although they have not yet been directly linked to the Beamglea campaign.
“The package contains a fake ‘Cloudflare Security Check’ page that secretly redirects users to an attacker-controlled URL extracted from a remote file hosted on GitHub,” Snyk said.
Redazione