Lucide proxy npm packages browser DDoS botnet
Malware Activity
Summary
Hide ▲
Show ▼
A 148-package npm campaign turned visitor browsers into a distributed denial-of-service botnet, turning ordinary proxy-page visits into attack traffic. The browser payloads ran for about two weeks in May and hid inside proxy lures branded Lucide and tutoring pages like Riverbend Tutoring and Northstar Tutoring. A remote loader and WebSocket flood generator let the operator swap code at runtime and point browsers at remote targets. The package set could be re-armed later by changing code on a mutable GitHub branch.
Related Happenings
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
GlassWorm supply-chain malware activity
Malware Activity
H score22
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Shai-Hulud worm clone activity on NPM
Malware Activity
H score69
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
H score22
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
LofyGang Minecraft LofyStealer campaign
Campaign
H score38
First: 28.04.2026 20:39
Last: 28.04.2026 20:39
Sources 1
About this happening:
The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
LofyGang Minecraft LofyStealer campaign
CampaignAbout this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...
Timeline
-
14.07.2026 10:08 1 articles · 4h ago
Browser flood targets cdn.caan.edu from a proxy tab
Victim Impact UpdateAn archived copy preserved on May 30 shows the remote script loader building a fresh one-million-character string every 500 milliseconds and firing it as a no-cors POST at cdn.caan.edu, the public domain of a nursing school in Matteson, Illinois. JFrog estimated that each active visitor could generate about 2 MB per second of upload traffic toward the target.
Show sources
- 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet — thehackernews.com — 14.07.2026 10:08
-
14.07.2026 10:08 1 articles · 4h ago
Malicious browser modules are stripped from the proxy packages
Mitigation Patch UpdateOn May 31, the operators removed the remote loader and the Wisp generator from the packages, leaving the cleaned-up adware-only build in place. The campaign kept the browser proxy lures, but the active DDoS functionality was taken back out at that point.
Show sources
- 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet — thehackernews.com — 14.07.2026 10:08
-
14.07.2026 10:08 1 articles · 4h ago
A new account ships the cleaned-up 148-package proxy build
Campaign Scope UpdateOn July 8, a second wave under a new account brought the package total to 148 and shipped the cleaned-up, adware-only build. The app still remained obfuscated, still loaded third-party scripts from attacker domains, and the remote loader still pointed at a mutable branch that could be re-armed later.
Show sources
- 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet — thehackernews.com — 14.07.2026 10:08
-
14.07.2026 10:08 2 articles · 4h ago
JFrog details the Lucide proxy botnet campaign
Initial DisclosureOn July 14, JFrog publicly detailed the 148 npm packages, the Lucide proxy lure, the G2 remote loader, and the I2 Wisp-based flood generator. The same disclosure says The Hacker News found most packages removed from npm, but charlie-kirk still served the malicious versions 2.0.0 and 3.0.1.
Show sources
- 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet — thehackernews.com — 14.07.2026 10:08
- 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet — thehackernews.com — 14.07.2026 10:08