Malicious npm spear-phishing campaign targeting industrial and energy employees
Campaign
Summary
Hide ▲
Show ▼
The malicious npm packages flockiali, opresc, prndn, oprnm, and operni were found serving a fake Microsoft-branded login screen, signaling an active spear-phishing campaign aimed at employees of industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.. The lure uses malicious links to push victims into a phishing flow delivered through package code. The broad geographic spread and sector focus make the operation more than isolated package abuse and raise the risk of credential theft and follow-on account compromise.
Related Happenings
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware Activity
H score37
First: 08.07.2026 22:54
Last: 08.07.2026 22:54
Sources 1
About this happening:
Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
Malicious npm and PyPI Paysafe, Skrill, and Neteller SDK packages delivering stealer malware
Malware ActivityAbout this happening: Malicious **npm** and **PyPI** packages impersonating **Paysafe**, **Skrill**, and **Neteller** SDKs delivered **stealer malware** that siphoned secrets from developer environment...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
Campaign
H score34
First: 16.06.2026 20:41
Last: 16.06.2026 20:41
Sources 1
About this happening:
The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
ClickFix multi-loader delivery campaign targeting Windows and macOS users
CampaignAbout this happening: The **ClickFix** malware-delivery campaign is spreading **BabaDeda Loader**, **Lorem Ipsum Loader**, and **Potemkin**, widening risk for **Windows and macOS users** across several...
Google DoubleClick malspam campaign delivering DesckVB RAT
Campaign
H score33
First: 03.06.2026 19:29
Last: 03.06.2026 19:29
Sources 1
About this happening:
A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Google DoubleClick malspam campaign delivering DesckVB RAT
CampaignAbout this happening: A **new malspam campaign** is abusing **Google's DoubleClick** redirect path to evade detection and deliver **DesckVB RAT**, putting users and organizations at risk of malware inf...
Hugging Face shared-loader supply chain campaign
Campaign
H score79
First: 11.05.2026 10:05
Last: 11.05.2026 10:05
Sources 1
About this happening:
A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Hugging Face shared-loader supply chain campaign
CampaignAbout this happening: A **Hugging Face** repository cluster appears to be part of a **broader supply chain campaign** that used **shared loaders** to push a stealer through open-source model downloads....
Npm typosquatting campaign distributing WinOS 4.0 implant
Campaign
H score20
First: 09.05.2026 17:26
Last: 09.05.2026 17:26
Sources 1
About this happening:
A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Npm typosquatting campaign distributing WinOS 4.0 implant
CampaignAbout this happening: A **npm typosquatting campaign** distributing the **WinOS 4.0 implant** overlapped with malicious repository activity, indicating a broader coordinated distribution effort beyond...
Timeline
-
28.01.2026 11:30 2 articles · 5mo ago
Malicious npm packages serve fake Microsoft login pages
Initial DisclosureMalicious npm packages flockiali, opresc, prndn, oprnm, and operni each include a single JavaScript file that displays a fake Microsoft-branded login screen and routes victims through malicious links aimed at employees of specific industrial and energy companies in France, Germany, Spain, the U.A.E., and the U.S.
Show sources
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30
- Fake Python Spellchecker Packages on PyPI Delivered Hidden Remote Access Trojan — thehackernews.com — 28.01.2026 11:30