27 Malicious npm Packages Used in Targeted Phishing Campaign

First reported

29.12.2025 11:44

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

Cybersecurity researchers have uncovered a sustained spear-phishing campaign that involved publishing 27 malicious npm packages to steal login credentials from sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations. The campaign, which lasted five months, targeted 25 organizations across manufacturing, industrial automation, plastics, and healthcare sectors. The attackers repurposed npm and package CDNs to host phishing lures that impersonate secure document-sharing portals and Microsoft sign-in pages.

Timeline

29.12.2025 11:44 1 articles · 23h ago

27 Malicious npm Packages Used in Targeted Phishing Campaign
Cybersecurity researchers have uncovered a sustained spear-phishing campaign that involved publishing 27 malicious npm packages to steal login credentials from sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations. The campaign, which lasted five months, targeted 25 organizations across manufacturing, industrial automation, plastics, and healthcare sectors. The attackers repurposed npm and package CDNs to host phishing lures that impersonate secure document-sharing portals and Microsoft sign-in pages.
Show sources

27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
Open in new tab

Information Snippets

The campaign involved 27 npm packages uploaded from six different npm aliases.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The packages were used to deliver client-side HTML and JavaScript lures impersonating secure document-sharing portals.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
Victims were redirected to Microsoft sign-in pages with pre-filled email addresses.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The packages incorporated client-side checks to challenge analysis efforts, including bot filtering, sandbox evasion, and requiring user interaction.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The JavaScript code was obfuscated or heavily minified to hinder automated inspection.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The domains used in the packages overlap with adversary-in-the-middle (AitM) phishing infrastructure associated with Evilginx.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The campaign targeted 25 email addresses tied to specific individuals in sales and business development roles across various sectors and countries.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
The attackers may have obtained email addresses from international trade shows and open-web reconnaissance.
First reported: 29.12.2025 11:44

1 source, 1 article
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44