27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials - The Hacker News

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials Ravie LakshmananDec 29, 2025Threat Intelligence / Cloud Security Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations, according to Socket. "A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft," researchers Nicholas Anderson and Kirill Boychenko said. The names of the packages are listed below - adril7123 ardril712 arrdril712 androidvoues assetslush axerification erification erificatsion errification eruification hgfiuythdjfhgff homiersla houimlogs22 iuythdjfghgff iuythdjfhgff iuythdjfhgffdf iuythdjfhgffs iuythdjfhgffyg jwoiesk11 modules9382 onedrive-verification sarrdril712 scriptstierium11 secure-docs-app sync365 ttetrification vampuleerl Rather than requiring users to install the packages, the end goal of the campaign is to repurpose npm and package content delivery networks (CDNs) as hosting infrastructure, using them to deliver client-side HTML and JavaScript lures impersonating secure document-sharing that are embedded directly in phishing pages, following which victims are redirected to Microsoft sign-in pages with the email address pre-filled in the form. The use of package CDNs offers several benefits, the foremost being the ability to turn a legitimate distribution service into infrastructure that's resilient to takedowns. In addition, it makes it easy for attackers to switch to other publisher aliases and package names, even if the libraries are pulled. The packages have been found to incorporate various checks on the client side to challenge analysis efforts, including filtering out bots, evading sandboxes, and requiring mouse or touch input before taking the victims to threat-actor-controlled credential harvesting infrastructure. The JavaScript code is also obfuscated or heavily minified to make automated inspection more difficult. Another crucial anti-analysis control adopted by the threat actor relates to the use of honeypot form fields that are hidden from view for real users, but are likely to be populated by crawlers. This step acts as a second layer of defense, preventing the attack from proceeding further. Socket said the domains packed into these packages overlap with adversary-in-the-middle (AitM) phishing infrastructure associated with Evilginx, an open-source phishing kit. This is not the first time npm has been transformed into phishing infrastructure. Back in October 2025, the software supply chain security firm detailed a campaign dubbed Beamglea that saw unknown threat actors uploading 175 malicious packages for credential harvesting attacks. The latest attack wave is assessed to be distinct from Beamglea. "This campaign follows the same core playbook, but with different delivery mechanics," Socket said. "Instead of shipping minimal redirect scripts, these packages deliver a self-contained, browser-executed phishing flow as an embedded HTML and JavaScript bundle that runs when loaded in a page context." What's more, the phishing packages have been found to hard-code 25 email addresses tied to specific individuals, who work in account managers, sales, and business development representatives in manufacturing, industrial automation, plastics and polymer supply chains, healthcare sectors in Austria, Belgium, Canada, France, Germany, Italy, Portugal, Spain, Sweden, Taiwan, Turkey, the U.K., and the U.S. It's currently unknown how the attackers obtained the email addresses. But given that many of the targeted firms convene at major international trade shows, such as Interpack and K-Fair, it's suspected that the threat actors may have pulled the information from these sites and combined it with general open-web reconnaissance. "In several cases, target locations differ from corporate headquarters, which is consistent with the threat actor’s focus on regional sales staff, country managers, and local commercial teams rather than only corporate IT," the company said. To counter the risk posed by the threat, it's essential to enforce stringent dependency verification, log unusual CDN requests from non-development contexts, enforce phishing-resistant multi-factor authentication (MFA), and monitor for suspicious post-authentication events. The development comes as Socket said it observed a steady rise in destructive malware across npm, PyPI, NuGet Gallery, and Go module indexes using techniques like delayed execution and remotely-controlled kill switches to evade early detection and fetch executable code at runtime using standard tools such as wget and curl. "Rather than encrypting disks or indiscriminately destroying files, these packages tend to operate surgically," researcher Kush Pandya said. "They delete only what matters to developers: Git repositories, source directories, configuration files, and CI build outputs. They often blend this logic into otherwise functional code paths and rely on standard lifecycle hooks to execute, meaning the malware may never need to be explicitly imported or invoked by the application itself." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, Credential Theft, cybersecurity, Infrastructure Security, Malware, NPM, Open Source, Phishing, Software Supply Chain, Threat Intelligence Trending News Cisco Confirms Active Exploitation of Two Catalyst SD-WAN Manager Vulnerabilities APT28 Tied to CVE-2026-21513 MSHTML 0-Day Exploited Before Feb 2026 Patch Tuesday Anthropic Finds 22 Firefox Vulnerabilities Using Claude Opus 4.6 AI Model Google Confirms CVE-2026-21385 in Qualcomm Android Component Exploited ThreatsDay Bulletin: DDR5 Bot Scalping, Samsung TV Tracking, Reddit Privacy Fine and More Open-Source CyberStrikeAI Deployed in AI-Driven FortiGate Attacks Across 55 Countries ⚡ Weekly Recap: Qualcomm 0-Day, iOS Exploit Chains, AirSnitch Attack and Vibe-Coded Malware ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket Coruna iOS Exploit Kit Uses 23 Exploits Across Five Chains Targeting iOS 13–17.2.1 Microsoft Reveals ClickFix Campaign Using Windows Terminal to Deploy Lumma Stealer 149 Hacktivist DDoS Attacks Hit 110 Organizations in 16 Countries After Middle East Conflict New Chrome Vulnerability Let Malicious Extensions Escalate Privileges via Gemini Panel OpenAI Codex Security Scanned 1.2 Million Commits and Found 10,561 High-Severity Issues Starkiller Phishing Suite Uses AitM Reverse Proxy to Bypass Multi-Factor Authentication Load More ▼ Popular Resources Identity Controls Checklist: Find Missing Protections in Apps 19,053 Confirmed Breaches in 2025 – Key Trends and Predictions for 2026 Read CYBER360 2026: From Zero Trust Limits to Data-Centric Security Paths Self-Hosted WAF: Block SQLi, XSS, and Bots Before They Reach Your Apps