(MENAFN- The Arabian Post)

Security analysts have uncovered a large-scale phishing operation utilising 175 npm packages as infrastructure to redirect victims to credential-harvesting sites. The packages, collectively downloaded over 26,000 times, do not themselves execute malware; rather, they act as hosting points for malicious scripts delivered through npm's public registry and the unpkg CDN.

The campaign, dubbed Beamglea, is believed to have targeted more than 135 companies across industrial, technology and energy sectors. Its architecture shifts the threat paradigm: it treats legitimate open-source infrastructure as a weapon, rather than relying on direct code compromise of downstream systems.

Threat researchers from Socket say the npm packages follow a naming convention like redirect-[a-z0-9]{6} and embed references to a beamglea. js payload. Once loaded via unpkg, that JavaScript appends the victim's email via URL fragment and redirects to phishing domains, thereby avoiding traditional server-side logging and presenting a prefilled login interface to lower suspicion. The packages themselves perform no malicious action on installation.

Investigators located over 630 HTML lures embedded in the packages, themed as invoices, purchase orders or technical documentation. These HTML documents reference the CDN-served scripts. Though the distribution vector for these lures has not been definitively confirmed, spear-phishing via email is considered likely. Socket has petitioned npm to remove the packages and suspend the threat actor accounts.

One hallmark of the campaign is automation. Analysts discovered a Python-based module that automates package creation, template injection of victim email and phishing URL, publication to npm, and generation of HTML lures. This system enables scale while maintaining the illusion of benign activity. Some phishing domains incorporate Base64-encoded parameters to identify Office 365 accounts lacking multi-factor authentication.

See also Stealit Campaign Harnesses Experimental Node Feature for Windows Infiltration

Researchers warn that this method bypasses many standard supply-chain defences: because the npm packages do not run malicious code on install, static analysis and malware scans are unlikely to detect them. Instead, the threat exploits the trust placed in npm's public registry and unpkg's automatic HTTPS serving to host phishing infrastructure at minimal cost.

Parallel to Beamglea, the npm ecosystem faces additional challenges. A broader supply-chain attack in September compromised 18 extremely high-traffic npm packages, inserting browser-based hooks that intercept cryptocurrency wallet interactions and redirect funds to attacker-controlled accounts. That incident affected libraries like chalk and debug, which see billions of downloads weekly.

A worm-like campaign named Shai-Hulud has been flagged, targeting widely used packages and propagating itself by harvesting secrets and inserting backdoors. It operates across npm accounts, installing hidden GitHub Actions workflows and compromising maintainers' development environments.

Academic research in October 2025 underscores the broader structural risk: nearly 18 percent of npm packages are trivial, yet their presence may still introduce security exposure. Detection tools developed in the research achieved high accuracy in flagging these“data-only” or trivial packages as potential attack surfaces.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN13102025000152002308ID1110186523