EXECUTIVE SUMMARY:
A large-scale campaign involving 175 malicious npm packages was identified, where the packages were used to host phishing infrastructure instead of deploying malware. The operation leveraged trusted developer platforms and content delivery networks to distribute redirect scripts that guided users toward credential-harvesting pages. Each package appeared legitimate, with randomly generated names that reduced suspicion while still attracting downloads through automated systems and scanning tools. This method allowed attackers to exploit well-established, reputable ecosystems to maintain persistence and credibility. The campaign demonstrates how easily software supply chains can be repurposed for hosting phishing operations, blurring the line between legitimate and malicious use of public repositories. It highlights a growing trend in which adversaries no longer need to compromise codebases directly to conduct large-scale social engineering and credential theft campaigns.
The malicious npm packages abused automatic hosting features provided by public content delivery networks. Instead of embedding harmful code, the attackers included simple redirect scripts that linked to phishing websites. These scripts were then referenced within HTML lure files disguised as legitimate business communications such as invoices or project proposals. When opened, the HTML file executed the embedded script, redirecting the user to a fake login page that automatically filled in the victim’s email for added authenticity. The attackers automated the entire process—creating random package names, uploading scripts, and generating phishing lures—through scripting tools. Hundreds of these packages were discovered, pointing to multiple phishing infrastructures and targeting organizations across various industries and regions. The use of encoded parameters, victim-specific fragments, and minimal code helped the attackers evade traditional detection, showcasing a well-orchestrated balance between simplicity, automation, and stealth.
The campaign illustrates a strategic evolution in supply chain exploitation, where trusted development and hosting services are weaponized to deliver phishing content instead of malicious executables. Because the uploaded packages contained no overtly harmful code, they bypassed common malware detection systems and remained active longer. This method highlights the attackers’ preference for subtle, infrastructure-based deception rather than direct compromise. To mitigate such threats, organizations should enhance monitoring for suspicious external content requests, apply stricter validation for third-party scripts, and restrict execution of unverified code from public repositories. Strengthening email security to filter HTML attachments and enforcing multifactor authentication can further limit exposure. The incident emphasizes the importance of holistic supply chain defense—extending beyond code integrity to include infrastructure monitoring and proactive identification of misuse within legitimate ecosystems.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-Technique |
| Resources Development | T1583.001 | Acquire Infrastructure | Domains |
| T1584.004 | Compromise Infrastructure | Server | |
| Initial access | T1566.001 | Phishing | Spearphishing Attachment |
| T1566.002 | Spearphishing Link | ||
| T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain | |
| Credential access | T1056.003 | Input Capture | Web Portal Capture |
REFERENCES:
The following reports contain further technical details: