Over 175 Malicious NPM Packages Impact 26,000 Projects

Security experts have uncovered 175 malicious software packages on the npm platform, designed to steal login credentials as part of a scheme dubbed "Beamglea." These packages, downloaded 26,000 times, targeted over 135 companies globally across sectors like manufacturing, technology, and energy. The software, identified by random names, likely wasn't installed accidentally by developers. The download figures include security experts and automated systems that examined the software post-disclosure.

The attack leveraged npm's public repository and unpkg.com's system to host scripts redirecting users to phishing sites. A Python script, "redirect_generator.py," automatically generated npm packages named "redirect-xxxxxx," embedding victim email addresses and phishing links. Once uploaded, these packages created HTML files pointing to the UNPKG system, which, when opened, redirected users to fake Microsoft login pages via JavaScript.

The JavaScript file "beamglea.js" facilitated these redirects, embedding victim emails and phishing URLs. Over 630 HTML files mimicking legitimate documents were found, suggesting email distribution as a potential vector. The phishing pages pre-filled email fields, enhancing the attack's credibility and success rate.

This incident highlights the evolving tactics of cyber attackers, who exploit legitimate systems like npm and UNPKG for large-scale phishing operations. The npm packages themselves don't execute harmful code upon installation, but victims who open the crafted HTML files are redirected to phishing sites. By deploying 175 packages across nine accounts and automating HTML file creation, attackers established a cost-effective, scalable phishing infrastructure using trusted platforms.

Stay secure — stay Wavasec. 🔐