Phishing Campaign Leveraging the NPM Ecosystem

In October 2025, researchers identified a sophisticated phishing operation exploiting the npm ecosystem not by infecting developers during the package installation but by using the trusted unpkg.com CDN to host and deliver phishing scripts. The attackers created over 175 disposable npm packages to host JavaScript that redirects users to credential-harvesting sites when opened from specially crafted HTML documents. The campaign targeted over 135 organizations across industrial, tech, and energy sectors, primarily in Europe. Following the disclosure by Socket, Snyk mapped additional packages with a different naming scheme, suggesting possible copycat actions or related infrastructure. This operation demonstrates a shift from traditional package-based exploits to leveraging legitimate open-source hosting for phishing attacks, signaling an evolving threat landscape in the open-source ecosystem. The attack uses HTML lure files to trigger scripts from unpkg.com, which redirect victims to phishing pages, capturing credentials through pre-filled forms, thus bypassing traditional supply chain compromises and employing new methods to exploit open-source components.