175 Malicious npm Packages Host Phishing Infrastructure Targeting 135+ Organizations

Socket's Threat Research Team identified a phishing campaign leveraging 175 malicious npm packages, collectively downloaded over 26,000 times, targeting over 135 industrial, technology, and energy companies globally. Dubbed "Beamglea," the campaign uses npm's public registry and unpkg.com's CDN to host redirect scripts funneling victims to credential-harvesting pages, exploiting npm as free global hosting infrastructure without executing malicious code upon installation. The threat actors automate package generation using Python tools, creating packages with randomized names to evade detection, and distribute HTML files themed as business documents to lure victims. The campaign primarily targets Western Europe and Asia-Pacific, excluding the U.S., and employs multiple domains for redundancy, indicating organized threat actor infrastructure. Despite being publicly disclosed, most packages remain live, prompting Socket to request their removal and account suspensions from npm. The discovery builds on initial findings by Paul McCarty at Safety, with Socket's AI scanner expanding the analysis to document the full campaign scope.