Npm registry spear-phishing campaign targeting sales personnel
Campaign
Summary
Hide ▲
Show ▼
Unknown threat actors ran a five-month spear-phishing campaign that abused 27 npm packages as browser-hosting infrastructure, turning a software registry into a resilient credential-theft delivery channel. The operation targeted 25 organizations and sales and commercial personnel across multiple sectors in the U.S. and Allied nations, making the login-harvesting effort broader and more durable than a one-off phishing page.
Related Happenings
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/Service
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/ServiceAbout this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Latest development: 23.05.2026 14:55
Anthropic said Project Glasswing has uncovered more than 10,000 high- or critical-severity vulnerabilities across widely used software since the program launched last month, including 6,202 high/critical flaws affecting more than 1,000 open-source projects, 1,726 validated true positives, 1,094 high/critical flaws, a critical WolfSSL flaw tracked as CVE-2026-5194 with CVSS score 9.1, 97 upstream patches, and 88 advisories.
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor Meta
First: 25.03.2026 16:02
Last: 25.03.2026 16:02
Sources 1
About this happening:
A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Underground sellers-fraud-oriented sellers alliance reshapes ransomware ecosystem operations
Threat Actor MetaAbout this happening: A growing underground market for **premium AI platform access** is turning **ChatGPT**, **Claude**, **Microsoft Copilot**, and **Perplexity** access into a tradable black-market c...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
Campaign
First: 23.03.2026 20:09
Last: 23.03.2026 20:09
Sources 1
About this happening:
A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Contagious Interview cryptocurrency social-engineering and malware-delivery campaign
CampaignAbout this happening: A **North Korean** cluster behind **Contagious Interview / WaterPlum** is running a coordinated **malware campaign** against **cryptocurrency professionals**, increasing the risk...
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor Meta
First: 05.03.2026 08:51
Last: 05.03.2026 08:51
Sources 1
About this happening:
**Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Tycoon 2FA-Storm-1747 ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Tycoon2FA** has evolved from a **subscription-based PhaaS** into a more resilient phishing service that now supports **device-code phishing** against **Microsoft 365** accounts....
Latest development: 17.05.2026 17:43
eSentire says Tycoon2FA now uses device-code phishing to target Microsoft 365 accounts, with invoice-themed lure emails carrying Trustifi click-tracking URLs that redirect through Trustifi, Cloudflare Workers, obfuscated JavaScript layers, and a fake Microsoft CAPTCHA page before sending victims to microsoft.com/devicelogin. The kit also adds anti-analysis defenses, including detection of Selenium, Puppeteer, Playwright, and Burp Suite, plus blocks for security vendors, VPNs, sandboxes, AI crawlers, and cloud providers.
Timeline
-
29.12.2025 11:44 2 articles · 4mo ago
npm package phishing campaign disclosure
Initial DisclosureUnknown threat actors ran a five-month npm phishing campaign that uploaded 27 packages from six aliases and used npm/package CDN-hosted HTML and JavaScript lures to impersonate document-sharing portals and Microsoft sign-in, targeting 25 organizations and sales and commercial personnel across manufacturing, industrial automation, plastics, and healthcare in the U.S. and Allied nations for credential theft; the packages also used bot filtering, sandbox evasion, mouse-or-touch checks, honeypot fields, and overlap with Evilginx-associated adversary-in-the-middle infrastructure.
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44