A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25…

Published:

23 december 2025 om 16:05:48

Alert date:

23 december 2025 om 20:02:44

Source:

socket.dev

Supply Chain & Dependencies, Email & Messaging, Critical Infrastructure

A sustained 5-month spearphishing operation abused the npm registry to host malicious packages targeting U.S. and allied manufacturing and healthcare organizations. Threat actors published 27 malicious npm packages under 6 aliases, delivering browser-executed phishing components that impersonate document-sharing portals and Microsoft sign-in pages. The campaign targeted 25 organizations across manufacturing, industrial automation, plastics, and healthcare sectors using sophisticated anti-analysis techniques including bot detection, honeypot forms, and interaction gating. The operation leverages adversary-in-the-middle (AiTM) phishing infrastructure potentially linked to Evilginx, enabling session token theft and MFA bypass. Targeted individuals were primarily sales and commercial personnel who regularly handle RFQs and document sharing workflows.

Technical details

A sustained spearphishing campaign abused the npm registry for 5+ months, publishing 27 malicious packages under 6 aliases to deliver browser-executed phishing components. The packages use document.open(), document.write(), and document.close() to replace page content with fake MicroSecure document-sharing verification gates that transition to Microsoft-branded sign-in screens. The attack implements client-side defenses including bot detection checks (navigator.webdriver, plugin counts, screen dimensions), honeypot form fields, and interaction gating requiring mouse/touch input. After credential submission, victims are redirected to threat actor-controlled infrastructure with email identifiers in URL fragments. The campaign uses Adversary-in-the-Middle (AiTM) phishing infrastructure with Evilginx patterns and specific URL paths (/wlc/, /load/, /success/) to capture session cookies and tokens, potentially bypassing traditional MFA.

Mitigation steps:

Deploy Socket GitHub App to scan pull requests for risky dependencies
Use Socket CLI to surface install-time red flags and block risky behaviors
Implement Socket Firewall to block known malicious packages
Install Socket browser extension to warn on suspicious packages during registry browsing
Verify publishers and scrutinize transitive dependencies
Pin dependency versions and scan for high-risk artifacts
Monitor for HTML templates, DOM overwrites via document.write(), full-screen iframe overlays
Log and alert on unusual CDN requests from non-development contexts
Block known malicious packages and domains
Require phishing-resistant MFA (WebAuthn/passkeys)
Enforce conditional access policies
Monitor for session token theft indicators
Watch for suspicious sign-in telemetry and abnormal OAuth events
Tighten dependency intake processes
Treat package CDNs as monitored control planes

Affected products:

npm registry
unpkg.com CDN
Browser environments executing JavaScript
Microsoft sign-in workflows (impersonated)

Related CVE's:

Related threat actors:

Evilginx operators

IOC's:

adril7123, ardril712, arrdril712, androidvoues, assetslush, axerification, erification, erificatsion, errification, eruification, hgfiuythdjfhgff, homiersla, houimlogs22, iuythdjfghgff, iuythdjfhgff, iuythdjfhgffdf, iuythdjfhgffs, iuythdjfhgffyg, jwoiesk11, modules9382, onedrive-verification, sarrdril712, scriptstierium11, secure-docs-app, sync365, ttetrification, vampuleerl, livestore.click, livestore.click/wlc/, hexrestore.online, hexrestore.online/load/, leoclouder.online, leoclouder.online/load/, leoclouder.online/success/, jigstro.cloud, jigstro.cloud/wlc/, extfl.roundupactions.shop, icpc12@proton.me, michael.shaw119@proton.me, nuelvamp@proton.me, briandmooree@proton.me, fineboi231@proton.me, safehavenbill@proton.me

This article was created with the assistance of AI technology by Perceptive.