Full Report
Cybersecurity researchers have flagged a new set of 175 malicious packages on the npm registry that have been used to facilitate credential harvesting attacks as part of an unusual campaign. The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy
Analysis Summary
# Tool/Technique: Beamglea Phishing Infrastructure (Leveraging npm and UNPKG)
## Overview
Beamglea is the codename for a widespread credential phishing campaign that utilizes malicious packages hosted on the npm registry. The core objective is to create a resilient, low-cost phishing infrastructure that abuses legitimate package hosting and Content Delivery Network (CDN) services (specifically unpkg.com) to distribute redirect scripts and disguise phishing lures as legitimate documents.
## Technical Details
- Type: Attack Framework / Campaign Infrastructure Abuse
- Platform: npm Ecosystem, Web Browsers (Victims)
- Capabilities: Automated generation of victim-specific phishing packages, hosting malicious redirect scripts on trusted CDNs, pre-filling email addresses on phishing pages to increase social engineering success.
- First Seen: Late last month (initial flagging mentioned in the article, campaign running prior to October 10, 2025 disclosure).
## MITRE ATT&CK Mapping
- T1583 - Acquire Infrastructure
- T1583.004 - Internet Hosting Services (Abusing npm registry and unpkg CDN)
- T1566 - Phishing
- T1566.002 - Spearphishing Link (Victims are directed via links embedded in HTML files)
- T1036 - Masquerading
- T1036.005 - Match Legitimate Name or Location (Using legitimate npm/unpkg infrastructure)
## Functionality
### Core Capabilities
- **Automated Package Creation:** Use of a Python script (`redirect_generator.py`) to programmatically create and publish npm packages with randomized names (e.g., "redirect-xxxxxx").
- **Infrastructure Hosting:** Leveraging the public npm registry and the UNPKG CDN to host the malicious redirection payload (`beamglea.js`).
- **Credential Harvesting:** Distributing HTML files (masquerading as purchase orders or technical documents) that load the JavaScript from the pre-trusted UNPKG CDN, redirecting victims to Microsoft credential harvesting pages.
### Advanced Features
- **Victim-Specific Targeting:** Injection of the victim's email address into the package configuration, which is then passed to the JavaScript redirect script.
- **Pre-filled Credentials:** The redirect script passes the victim's email to the phishing domain via a URL fragment. The subsequent phishing page pre-fills the email field, significantly increasing victim trust and reducing suspicion, which raises the likelihood of successful credential submission.
- **Resilience and Cost Efficiency:** The infrastructure is highly resilient because it costs nothing to host (leveraging npm and UNPKG) and uses trusted, high-reputation services for file serving.
## Indicators of Compromise
- File Hashes: [Not explicitly listed in the summary]
- File Names:
- `redirect_generator.py` (Tool used by attacker)
- `beamglea.js` (The malicious redirect script hosted on UNPKG)
- HTML files masquerading as legitimate documents (e.g., purchase orders, technical specifications)
- Registry Keys: [Not applicable]
- Network Indicators:
- `unpkg[.]com` (Abused CDN infrastructure)
- Microsoft credential harvesting pages (Destination URLs, specific URLs not defanged in summary)
- Behavioral Indicators:
- Installation of seemingly benign/randomly named npm packages followed by the creation of external HTTP requests upon opening associated HTML documents.
- Loading of JavaScript from the UNPKG CDN via HTML referencing new/obscure npm package versions.
## Associated Threat Actors
- Specific threat actor group is not named in the summary, but the campaign is tracked under the codename **Beamglea**.
## Detection Methods
- Signature-based detection: Less effective against this technique as it relies on abusing legitimate infrastructure endpoints.
- Behavioral detection: Detecting scripts that load resources from CDNs like unpkg.com and immediately trigger browser redirects, especially when associated with recently published, low-reputation npm packages.
- YARA rules: Not mentioned.
## Mitigation Strategies
- **Supply Chain Monitoring:** Scrutinizing dependencies for newly published or obscure packages, even if they don't execute code locally upon installation.
- **Network Monitoring:** Monitoring outgoing traffic from user workstations/browsers for redirects to external credential harvesting sites initiated from seemingly benign document interactions.
- **Developer Education:** Ensuring developers only install necessary packages and understand the risks associated with consuming content hosted on CDNs derived from unexpected sources.
- **Filtering:** Organizations may need to review policies regarding dynamic script loading from CDNs like unpkg.com if the context is suspicious.
## Related Tools/Techniques
- Abuse of legitimate package repositories (e.g., PyPI, RubyGems) for hosting malicious infrastructure.
- Typosquatting (although this campaign used randomized names, indicating a targeted approach rather than broad squatting).
- Similar phishing campaigns that pre-fill form fields to increase user trust.