Hacking

Malicious npm Packages Used in Targeted Credential Theft Campaign

Published  ·  4 min read

Cybersecurity experts have identified an ongoing, organized phishing campaign that used the npm platform to gain access to thousands of companies’ user credentials. The suspicious npm packages were not intended to be executed on a computer but used to distribute content for phishing attempts on users’ computers via legitimate CDN providers. This method of leveraging the npm platform to send phishing emails has created an environment for creating ‘resilient’ infrastructures, making it more difficult to disrupt.

Research from Socket indicates that this specific campaign was conducted over the course of five months using 27 npm packages published through six separate aliases identified by username(s). This type of phishing attack primarily targeted sales representatives, account managers, and commercial personnel working for companies that were part of a critical infrastructure supply chain throughout the United States and countries that are aligned with the United States’ interests.

Rather than encouraging victims to install the packages, the attackers repurposed npm as a phishing delivery platform. The published packages hosted client-side HTML and JavaScript that impersonated secure document-sharing portals. Victims were lured into opening these pages and then redirected to Microsoft sign-in pages with their email addresses already prefilled, increasing the likelihood of credential submission.

Malicious Packages Identified
The attack utilized many misleadingly named packages, which included the following:
adril7123, androidvoues, assetslush, erification, onedrive-verification, secure-docs-app, sync365, vampuleerl etc.
These suggested false legitimacy or authority during the use of legitimate developer processes or the downloading of third-party assets.

Why npm Was The Right Attack Platform
Through its use of CDNs, npm provided attackers with the following advantages:
1. High trust - npm CDNs are routinely whitelisted in business environments.
2. Resilience - Removal of one package or alias does not destroy the entire campaign
3. Flexibility - Attackers can quickly and easily rotate between the Name of a package and/or name of a provider and continue to provide users with access to malicious content

The phishing code involved was significantly minified and obfuscated, to make it difficult to perform any meaningful static analysis, and was incorporated with several anti-static analysis techniques, including bot detection and bypassing sandbox environments and the requirement for actual human engagement prior to redirecting to between phishing credential capture sites.

Advanced Evasion Techniques
A second way to enhance protection against phishing attacks is by creating hidden "honeypot" designer input fields. These hidden inputs are not seen by a legitimate user but can be populated by an automated scanner or web crawler. 

When populated, this is a termination point in the phishing process, as the phishing email will not expose the attacker's infrastructure and will hinder automated detection of phishing attempts. Socket was also able to identify similarities between the domains present in the packages and the "adversarial in-the-middle" (AitM) phishing infrastructure they were using. 

One example of this is that the attack took advantage of certain tools associated with Evilginx and was utilized by multiple threat actors.

Highly Targeted Individuals 
This attack did not target many individuals for phishing purposes but relied on the use of 25 specific individuals' email addresses that were hard-coded into the attack communications to target individuals from the Manufacturing / Industrial Automation, Plastics / Polypropylene Supply Chain, Healthcare, Europe / North America / Asia (UK / US / Germany / France / Turkey / Taiwan) sectors The email addresses were most likely harvested from international trade show attendee lists gathered through open-source research conducted by researchers at Avast.

Defensive Measures
To counteract this and similar attacks, companies should do the following: 
1. Monitor for traffic to NPM and CDN from sources other than the expected development environments 
2. Use MFA that has been proven to be resistant to Phishing for all Cloud Authentication 
3. Audit how the organization is using and loading third-party assets through dependencies 
4. Look for unusual behaviors after the user is authenticated 

The results of this study align with a pattern of destructive and stealthy malware found in some of the largest package repositories and serves as an illustration of how criminals are continuously developing new ways to undermine those who have access to their packages by relying on delayed execution, retrieving runtime payloads, and abusing common lifecycle hooks in order to remain undetected.

Source: The Hacker News

Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067