Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

NPM-spoofing credential-phishing campaign

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

A phishing campaign spoofing NPM is stealing developer credentials and 2FA tokens, creating a fast path to package-account compromise across widely used JavaScript projects. The lure uses a fake login page to capture access and then alter account details. Because package maintainers control software updates, the same technique can seed malicious code into dependencies downloaded at massive scale.

Related Happenings

TikTok for Business phishing campaign using Turnstile and reverse proxy

Campaign
First: 26.03.2026 16:09 Last: 26.03.2026 16:09 Sources 1

About this happening: A **phishing campaign** is targeting **TikTok for Business accounts** and uses **Cloudflare Turnstile** to block automated analysis before exposing a **reverse-proxy** credential-...

Open Happening

Malicious npm spear-phishing campaign targeting industrial and energy employees

Campaign
First: 28.01.2026 11:30 Last: 28.01.2026 11:30 Sources 1

About this happening: The **malicious npm packages** flockiali, opresc, prndn, oprnm, and operni were found serving a **fake Microsoft-branded login screen**, signaling an active **spear-phishing campa...

Open Happening

Npm registry spear-phishing campaign targeting sales personnel

Campaign
First: 29.12.2025 11:44 Last: 29.12.2025 11:44 Sources 1

About this happening: **Unknown threat actors** ran a **five-month** spear-phishing campaign that abused **27 npm packages** as browser-hosting infrastructure, turning a software registry into a resili...

Open Happening

Calendly-themed brand-impersonation phishing campaign targeting ad manager accounts

Campaign
First: 02.12.2025 16:00 Last: 02.12.2025 16:00 Sources 1

About this happening: An ongoing **Calendly-themed phishing campaign** is impersonating major brands to steal **Google Workspace** and **Facebook business** credentials, creating takeover risk for ad a...

Open Happening

Typosquatted npm packages delivering a PyInstaller infostealer

Malware Activity
First: 30.10.2025 01:16 Last: 30.10.2025 01:16 Sources 1

About this happening: **Ten malicious npm packages** impersonated popular libraries and delivered a **24 MB PyInstaller infostealer** to developers on **Windows, Linux, and macOS**. The packages used *...

Open Happening

Timeline

  1. 09.09.2025 01:53 1 articles · 8mo ago

    Spoofed npmjs[.]help domain is registered

    Campaign Scope Update

    Attackers registered the spoofed domain npmjs[.]help about two days before sending the phishing email, setting up a fake NPM login page used to capture maintainer credentials and 2FA tokens.

    Show sources
    Open in new tab
  2. 09.09.2025 01:53 2 articles · 8mo ago

    NPM credential-phishing email steals 2FA tokens

    Exploitation Observed

    A larger campaign spoofing NPM targeted developers maintaining NPM projects with a fake login page that intercepted usernames, passwords, and 2FA tokens, then changed the email address on the victim's NPM account to lock out maintainer Josh Junon.

    Show sources
    Open in new tab
  3. 09.09.2025 01:53 1 articles · 8mo ago

    Aikido detects malicious code in 18 NPM packages

    Initial Disclosure

    Aikido's systems found malicious code in at least 18 widely used NPM libraries, notified maintainer Josh Junon on Bsky, and identified browser-based crypto-interceptor malware in packages downloaded more than two billion times each week.

    Show sources
    Open in new tab