Security researchers have uncovered a long-running and highly targeted phishing operation that abuses the npm ecosystem to steal login credentials from professionals working in sensitive industries. The campaign, which has been active for several months, relies on malicious npm packages designed to quietly deliver browser-based phishing pages rather than traditional malware.
According to findings from security firm Socket, the operation involved at least 27 malicious npm packages, uploaded under multiple fake publisher identities. These packages were engineered to target individuals working in sales, procurement, and business development roles across industries tied to critical infrastructure, including manufacturing, industrial automation, healthcare, and logistics.
How the Attack Works
Instead of infecting systems directly, the attackers used npm as a delivery platform. The published packages contained hidden HTML and JavaScript payloads that, when accessed, redirected victims to highly convincing fake document-sharing portals or Microsoft login pages.
The goal was simple: steal credentials.
Once a target clicked the link, the page presented a familiar-looking sign-in interface with their email address already filled in, increasing the likelihood of successful credential capture. Unlike traditional phishing emails, this approach leveraged trusted package repositories and content delivery networks, making the infrastructure harder to block or take down.
Researchers say the campaign used 27 uniquely named packages, each appearing legitimate at first glance, including:
- adril7123
- ardril712
- androidvoues
- assetslush
- erification
- secure-docs-app
- sync365
- onedrive-verification
- vampuleerl
(and several others)
Built to Evade Detection
To avoid automated scanning and security analysis, the malicious packages included multiple layers of evasion. These included:
- Detecting and blocking sandbox or crawler environments
- Requiring mouse movement or user interaction before loading malicious content
- Using heavily obfuscated or minified JavaScript
- Embedding decoy form fields to detect bots and halt execution
The attackers also reused infrastructure commonly associated with adversary-in-the-middle (AitM) phishing frameworks, allowing them to intercept login sessions in real time.
Why This Campaign Stands Out
Unlike traditional phishing attacks that rely on email links or malicious attachments, this operation weaponized trusted developer infrastructure. By hosting phishing pages inside npm packages and delivering them through legitimate CDNs, the attackers made detection and takedown significantly more difficult.
Researchers also noted that many of the targeted individuals worked in sales and business development roles rather than IT, suggesting a strategic focus on access points that could later be leveraged for supply chain compromise or corporate espionage.
The affected targets were spread across multiple regions, including the United States, Canada, Germany, France, Italy, Spain, the U.K., Turkey, and parts of Asia. Investigators believe the attackers likely sourced email addresses from public trade events, professional directories, or industry expos.
Growing Abuse of Open-Source Ecosystems
This campaign follows a growing trend in which open-source package repositories are being repurposed as attack infrastructure. Earlier campaigns, such as the “Beamglea” operation uncovered in 2025, used similar techniques to distribute credential harvesters and backdoors.
Security researchers warn that attackers are becoming more selective and strategic, favoring low-noise operations that blend seamlessly into normal developer workflows.
“Instead of mass infection, these actors are going after high-value targets and using software supply chains as delivery vehicles,” researchers noted. “The malicious code often looks legitimate and only activates under specific conditions.”
What Organizations Should Do
To reduce exposure to these kinds of threats, security teams are advised to:
- Enforce strict dependency verification and package integrity checks
- Monitor outbound traffic for suspicious CDN or script-loading behavior
- Use phishing-resistant authentication methods such as FIDO2-based MFA
- Review and restrict access to developer environments
- Monitor for unusual login activity or credential reuse
As attackers continue to weaponize trusted platforms, defenders must assume that even familiar tools can be abused. Visibility, verification, and zero-trust principles remain critical in preventing these silent but highly effective attacks.