Malicious npm spear-phishing campaign targeting industrial and energy employees
Campaign
Summary
Hide ▲
Show ▼
The malicious npm packages flockiali, opresc, prndn, oprnm, and operni were found serving a fake Microsoft-branded login screen, signaling an active spear-phishing campaign aimed at employees of industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.. The lure uses malicious links to push victims into a phishing flow delivered through package code. The broad geographic spread and sector focus make the operation more than isolated package abuse and raise the risk of credential theft and follow-on account compromise.
Related Happenings
Hugging Face shared-loader supply chain campaign
Campaign
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Hugging Face shared-loader supply chain campaign
CampaignAbout this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
RoshniNaveenaS's account hit by network compromise
Incident
First: 29.04.2026 19:26
Last: 29.04.2026 19:26
Sources 1
About this happening:
The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
RoshniNaveenaS's account hit by network compromise
IncidentAbout this happening: The **RoshniNaveenaS** account was **compromised**, enabling attackers to publish malicious **@cap-js** releases without provenance and putting downstream **npm** consumers at ris...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
Campaign
First: 20.04.2026 18:01
Last: 20.04.2026 18:01
Sources 1
About this happening:
The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Formbook phishing campaign using DLL sideloading and obfuscated JavaScript
CampaignAbout this happening: The **Formbook** phishing operation is targeting **Windows** organizations across **Greece, Spain, Slovenia, Bosnia, Croatia** and **South America**, using **DLL sideloading** and...
Fake Claude PlugX phishing campaign
Campaign
First: 13.04.2026 12:52
Last: 13.04.2026 12:52
Sources 1
About this happening:
A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Fake Claude PlugX phishing campaign
CampaignAbout this happening: A **February** phishing campaign used a **fake Claude website** and **fake meeting invitations** to deliver **PlugX** malware to recipients, turning a popular AI brand into a malw...
Latest development: 07.05.2026 13:02
A fake Claude AI site at claude-pro[.]com distributed Claude-Pro-windows-x64.zip, which drops NOVupdate.exe, NOVupdate.exe.dat, and avk.dll to sideload DonutLoader and load the Beagle backdoor on Windows. The backdoor uses license[.]claude-pro[.]com for command-and-control over TCP 443 and/or UDP 8080, and related Beagle samples were submitted to VirusTotal between February and April this year.
Timeline
-
28.01.2026 11:30 2 articles · 3mo ago
Malicious npm packages serve fake Microsoft login pages
Initial DisclosureMalicious npm packages flockiali, opresc, prndn, oprnm, and operni each include a single JavaScript file that displays a fake Microsoft-branded login screen and routes victims through malicious links aimed at employees of specific industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30