Beamglea malicious npm phishing campaign
Campaign
Summary
Hide ▲
Show ▼
The Beamglea phishing operation is using 175 malicious npm packages and unpkg.com redirect scripts to funnel victims to credential-harvesting pages, broadening risk across a wide set of organizations. The infrastructure has already been downloaded 26,000 times and is tied to targeting more than 135 industrial, technology, and energy companies worldwide. The packages do not execute malicious code on install; instead, they support victim-specific HTML payloads that trigger browser redirects. That setup turns trusted package hosting into a scalable phishing delivery channel.
Related Happenings
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
H score68
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Mini Shai-Hulud** npm **malware activity** now includes the **Miasma** variant affecting **Microsoft GitHub repositories** in a self-replicating **supply-chain campaign**. O...
Latest development: 09.06.2026 18:42
On June 5, Microsoft removed 73 repositories across its Azure, microsoft, Azure-Samples, and MicrosoftDocs organizations on GitHub after concerns about potential malicious content tied to the Miasma/Shai-Hulud supply-chain campaign. The action disrupted continuous integration pipelines and broke workflows that depended on Azure/functions-action, while Microsoft said it temporarily removed some repositories during its investigation.
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
H score20
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
BufferZoneCorp sleeper-package supply chain campaign
Campaign
H score38
First: 01.05.2026 12:43
Last: 01.05.2026 12:43
Sources 1
About this happening:
The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
BufferZoneCorp sleeper-package supply chain campaign
CampaignAbout this happening: The **BufferZoneCorp** software supply chain campaign is pushing **malicious Ruby gems and Go modules** that can steal credentials, tamper with **GitHub Actions**, and persist on...
Timeline
-
10.10.2025 13:45 2 articles · 9mo ago
Researchers flag Beamglea malicious npm packages used for credential phishing
Initial DisclosureCybersecurity researchers identified 175 malicious packages on the npm registry that were being used as infrastructure for the Beamglea phishing campaign, which targeted more than 135 industrial, technology, and energy companies worldwide. The packages had been collectively downloaded 26,000 times and abused npm and the unpkg.com CDN to host redirect scripts that loaded JavaScript from unpkg.com, injected victim email addresses, and sent victims to Microsoft credential-harvesting pages.
Show sources
- 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign — thehackernews.com — 10.10.2025 13:45
- 175 Malicious npm Packages with 26,000 Downloads Used in Credential Phishing Campaign — thehackernews.com — 10.10.2025 13:45