Find notable cyber news and cases, enriched with sources, timelines, and signals.

Lucide proxy npm packages browser DDoS botnet

Malware Activity
First reported
Last updated
Happening score
H score 31
1 unique sources, 1 articles

Summary

Hide ▲

A 148-package npm campaign turned visitor browsers into a distributed denial-of-service botnet, turning ordinary proxy-page visits into attack traffic. The browser payloads ran for about two weeks in May and hid inside proxy lures branded Lucide and tutoring pages like Riverbend Tutoring and Northstar Tutoring. A remote loader and WebSocket flood generator let the operator swap code at runtime and point browsers at remote targets. The package set could be re-armed later by changing code on a mutable GitHub branch.

Related Happenings

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

GlassWorm supply-chain malware activity

Malware Activity
H score22 First: 27.05.2026 14:48 Last: 27.05.2026 14:48 Sources 1

About this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...

Shai-Hulud worm clone activity on NPM

Malware Activity
H score69 First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
H score22 First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

LofyGang Minecraft LofyStealer campaign

Campaign
H score38 First: 28.04.2026 20:39 Last: 28.04.2026 20:39 Sources 1

About this happening: The **LofyGang** crew has re-emerged with a **Minecraft-player targeting** operation that uses **LofyStealer (GrabBot)**, increasing the risk of **credential and payment-data thef...

Timeline

  1. 14.07.2026 10:08 1 articles · 4h ago

    Browser flood targets cdn.caan.edu from a proxy tab

    Victim Impact Update

    An archived copy preserved on May 30 shows the remote script loader building a fresh one-million-character string every 500 milliseconds and firing it as a no-cors POST at cdn.caan.edu, the public domain of a nursing school in Matteson, Illinois. JFrog estimated that each active visitor could generate about 2 MB per second of upload traffic toward the target.

    Show sources
  2. 14.07.2026 10:08 1 articles · 4h ago

    Malicious browser modules are stripped from the proxy packages

    Mitigation Patch Update

    On May 31, the operators removed the remote loader and the Wisp generator from the packages, leaving the cleaned-up adware-only build in place. The campaign kept the browser proxy lures, but the active DDoS functionality was taken back out at that point.

    Show sources
  3. 14.07.2026 10:08 1 articles · 4h ago

    A new account ships the cleaned-up 148-package proxy build

    Campaign Scope Update

    On July 8, a second wave under a new account brought the package total to 148 and shipped the cleaned-up, adware-only build. The app still remained obfuscated, still loaded third-party scripts from attacker domains, and the remote loader still pointed at a mutable branch that could be re-armed later.

    Show sources
  4. 14.07.2026 10:08 2 articles · 4h ago

    JFrog details the Lucide proxy botnet campaign

    Initial Disclosure

    On July 14, JFrog publicly detailed the 148 npm packages, the Lucide proxy lure, the G2 remote loader, and the I2 Wisp-based flood generator. The same disclosure says The Hacker News found most packages removed from npm, but charlie-kirk still served the malicious versions 2.0.0 and 3.0.1.

    Show sources