27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

Published:

29 december 2025 om 09:44:00

Alert date:

29 december 2025 om 10:02:25

Source:

thehackernews.com

Supply Chain & Dependencies, Email & Messaging, Identity & Access

Cybersecurity researchers discovered a sustained spear-phishing campaign involving 27 malicious npm packages published to the npm registry. The campaign used six different npm aliases to facilitate credential theft. The activity primarily targeted sales and commercial personnel at critical organizations. The packages served as phishing infrastructure to steal login credentials. This represents a sophisticated supply chain attack leveraging the npm ecosystem for credential harvesting operations.

Technical details

A 5-month spear-phishing campaign uploaded 27 malicious npm packages from 6 different aliases to use npm and package CDNs as hosting infrastructure. The packages deliver client-side HTML and JavaScript lures that impersonate secure document-sharing portals and Microsoft sign-in pages. The attack includes anti-analysis measures: bot filtering, sandbox evasion, requiring mouse/touch input, obfuscated/minified JavaScript code, and honeypot form fields hidden from users but populated by crawlers. The packages redirect victims to threat-actor-controlled credential harvesting infrastructure associated with Evilginx phishing kit. The campaign hard-codes 25 specific email addresses of targets in sales and commercial roles.

Mitigation steps:

Enforce stringent dependency verification, log unusual CDN requests from non-development contexts, enforce phishing-resistant multi-factor authentication (MFA), and monitor for suspicious post-authentication events

Affected products:

npm registry
Package content delivery networks (CDNs)
Microsoft sign-in pages
Organizations in manufacturing
industrial automation
plastics
and healthcare sectors