Npm registry spear-phishing campaign targeting sales personnel
Campaign
Summary
Hide ▲
Show ▼
Unknown threat actors ran a five-month spear-phishing campaign that abused 27 npm packages as browser-hosting infrastructure, turning a software registry into a resilient credential-theft delivery channel. The operation targeted 25 organizations and sales and commercial personnel across multiple sectors in the U.S. and Allied nations, making the login-harvesting effort broader and more durable than a one-off phishing page.
Related Happenings
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor Meta
H score31
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
North Korea-aligned developer-targeting operations shift from fake interviews to recruitment phishing at scale
Threat Actor MetaAbout this happening: North Korea-aligned developer-targeting operations are shifting from **fake interviews** to **recruitment-themed phishing** at scale, increasing the risk of industrialized **crede...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
Campaign
H score37
First: 15.06.2026 22:32
Last: 15.06.2026 22:32
Sources 1
About this happening:
The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Contagious Interview UNK_DeadDrop GitHub phishing campaign
CampaignAbout this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
Incident
H score13
First: 01.06.2026 20:40
Last: 01.06.2026 20:40
Sources 1
About this happening:
**Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack
IncidentAbout this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor Meta
H score18
First: 10.04.2026 00:37
Last: 10.04.2026 00:37
Sources 1
About this happening:
**VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
VENOM closed-access PhaaS operating model limits researcher visibility
Threat Actor MetaAbout this happening: **VENOM** is operating as a **closed-access phishing-as-a-service** platform, reducing researcher visibility while supporting **underground credential theft**. The service targets...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/Service
H score58
First: 08.04.2026 12:16
Last: 08.04.2026 12:16
Sources 1
About this happening:
**Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Anthropic launches Project Glasswing with Claude Mythos for vulnerability discovery
Security Tool/ServiceAbout this happening: **Anthropic’s Project Glasswing** is now showing measurable results: since launching last month, the **Claude Mythos Preview**-based initiative has uncovered **more than 10,000**...
Latest development: 03.06.2026 14:00
President Donald Trump signed a June 2 executive order that sets up a voluntary framework for developers of covered frontier models to give the US government access for cybersecurity review for up to 30 days before release, while expressly rejecting any mandatory licensing or preclearance requirement. The order directs NSA, CISA, and NIST to build a classified benchmark for determining which models cross the covered threshold and creates an AI cybersecurity clearinghouse led by the Treasury Department. The framework closely echoes Anthropic's Project Glasswing, which gives vetted partners early access to Claude Mythos Preview to scan critical software for vulnerabilities.
Timeline
-
29.12.2025 11:44 2 articles · 6mo ago
npm package phishing campaign disclosure
Initial DisclosureUnknown threat actors ran a five-month npm phishing campaign that uploaded 27 packages from six aliases and used npm/package CDN-hosted HTML and JavaScript lures to impersonate document-sharing portals and Microsoft sign-in, targeting 25 organizations and sales and commercial personnel across manufacturing, industrial automation, plastics, and healthcare in the U.S. and Allied nations for credential theft; the packages also used bot filtering, sandbox evasion, mouse-or-touch checks, honeypot fields, and overlap with Evilginx-associated adversary-in-the-middle infrastructure.
Show sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials — thehackernews.com — 29.12.2025 11:44