Find notable cyber news and cases, enriched with sources, timelines, and signals.

Malicious npm spear-phishing campaign targeting industrial and energy employees

Campaign
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The malicious npm packages flockiali, opresc, prndn, oprnm, and operni were found serving a fake Microsoft-branded login screen, signaling an active spear-phishing campaign aimed at employees of industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.. The lure uses malicious links to push victims into a phishing flow delivered through package code. The broad geographic spread and sector focus make the operation more than isolated package abuse and raise the risk of credential theft and follow-on account compromise.

Related Happenings

Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware

Malware Activity
H score37 First: 08.07.2026 22:54 Last: 08.07.2026 22:54 Sources 1

About this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...

ClickFix multi-loader delivery campaign targeting Windows and macOS users

Campaign
H score34 First: 16.06.2026 20:41 Last: 16.06.2026 20:41 Sources 1

About this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...

Google DoubleClick malspam campaign delivering DesckVB RAT

Campaign
H score33 First: 03.06.2026 19:29 Last: 03.06.2026 19:29 Sources 1

About this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...

Hugging Face shared-loader supply chain campaign

Campaign
H score79 First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....

Npm typosquatting campaign distributing WinOS 4.0 implant

Campaign
H score20 First: 09.05.2026 17:26 Last: 09.05.2026 17:26 Sources 1

About this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...

Timeline

  1. 28.01.2026 11:30 2 articles · 5mo ago

    Malicious npm packages serve fake Microsoft login pages

    Initial Disclosure

    Malicious npm packages flockiali, opresc, prndn, oprnm, and operni each include a single JavaScript file that displays a fake Microsoft-branded login screen and routes victims through malicious links aimed at employees of specific industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.

    Show sources