Cybersecurity researchers have identified 175 malicious packages on the npm registry that were used to host credential-harvesting infrastructure in a campaign researchers have codenamed Beamglea, according to Socket; the packages have been downloaded about 26,000 times and the campaign targeted more than 135 industrial, technology and energy companies worldwide.
Socket’s analysis and other reporting indicate the threat actors used npm’s public registry and the unpkg.com content delivery network to serve redirect scripts that route victims to credential-harvesting pages. Some aspects of the operation were first flagged by Safety’s Paul McCarty, the reporting said.
The actors automated package creation with a Python script named “redirect_generator.py” that programmatically created packages named “redirect-xxxxxx,” injected a victim’s email and a phishing URL, and published the package to npm. The live package was then referenced by HTML files that loaded JavaScript from unpkg (for example, unpkg[.]com/[email protected]/beamglea.js) to perform immediate browser redirects to credential-stealing pages, Socket said.
Socket said the JavaScript file “beamglea.js” included the victim’s email address and the destination URL and that researchers found more than 630 HTML files masquerading as purchase orders, technical specifications or project documents. The packages do not appear to execute malicious code on installation; instead the campaign leverages npm and the CDN to host and serve phishing payloads. It remains unclear how the specially crafted HTML files were distributed to victims, though email was suggested as a possibility.
Security researcher Kush Pandya noted that the npm ecosystem can become “unwitting infrastructure rather than a direct attack vector,” and that publishing 175 packages across nine accounts and automating victim-specific HTML generation created a resilient, low-cost hosting approach that could be adopted by other actors. Defenders were urged to monitor for abuse of open registries and CDN-serving behaviour.