Malicious npm Packages Used in Phishing Campaign Against 135+ Companies

The Beamglea campaign is a large-scale phishing operation leveraging npm packages as free hosting infrastructure for credential harvesting. Discovered by Socket’s Threat Research Team in September 2025, it involves 175 malicious npm packages that collectively serve phishing scripts to victims. The campaign abuses the unpkg[.]com CDN to host JavaScript redirectors that funnel targets to credential theft pages, particularly Microsoft 365 phishing portals. The attackers automated the creation and publication of these packages using Python tooling, enabling industrial-scale phishing across 135+ global organizations.

Severity: High

Threat Overview

• Campaign Scale: 175 npm packages, 630+ HTML phishing lures, 9 npm accounts, 7 C2 domains, 135+ victim organizations
• Threat Actor Handles: zamaniboss, ghoxt, smfcs, doggymugu, flajpt, milotank, remdd100, remdd101, remdd1012
• Campaign Identifier: nb830r6x (appears in the meta tag of HTML files)
• HTML Lure Themes: Purchase Order List 2025.html, PO3725.html, PODV250918.html, Dutch Dipping Hydrogen Project.html, Product drawing and specification for Heat Exchangers.html
• Targeted Industries: Industrial Manufacturing, Energy, Technology, Chemical.
• Targeted Regions: Western Europe (Germany, Netherlands, Italy, Belgium), Nordic countries, and APAC.

Attack Chain

• Threat actors used Python automation (redirect_generator.py) to mass-generate random npm package names (redirect-[a-z0-9]{6}) and publish them publicly.
• Each package’s contents were served automatically through unpkg[.]com, creating HTTPS-accessible CDN URLs hosting the phishing JavaScript (beamglea.js).
• Victims received HTML attachments themed as “purchase orders” or “technical documents.” These lures loaded the malicious scripts directly from unpkg[.]com.
• The JavaScript redirected victims to phishing domains (e.g., cfn[.]jackpotmastersdanske[.]com) and appended the user’s email in the URL fragment to auto-fill phishing forms.
• The fake login portals mimicked Microsoft Office 365 pages to collect enterprise credentials, specifically targeting accounts without MFA (identified via o365_1_nom parameters).

MITRE ATT&CK

Recommendations

1. Warn employees about HTML file attachments mimicking invoices or project files.
2. Reinforce phishing awareness training with focus on Office 365 credential phishing.
3. Quarantine or block inbound HTML file attachments unless explicitly whitelisted.
4. Review all internal and third-party npm dependencies. Flag and remove any packages matching the naming pattern redirect-*.
5. Block or alert on connections to unpkg[.]com URLs containing /redirect-*/beamglea.js
6. Enable MFA across all business email and cloud services.
7. Review email gateway logs for HTML attachments delivered between September and October 2025, particularly files with purchase order themes or project document naming patterns.
8. Block the IOCs at their respective controls
   https://www.virustotal.com/gui/collection/600c6cd13045f380a0b23896527042dfcc99893ef56f380184777fe0cfdba28e/iocs

Source:

• https://socket.dev/blog/175-malicious-npm-packages-host-phishing-infrastructure
• https://www.getsafety.com/blog-posts/jackpotmasters-credential-phishing-attack
• https://snyk.io/blog/phishing-campaign-leveraging-the-npm-ecosystem/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.