In a recent revelation, Socket’s Threat Research Team uncovered a sophisticated phishing campaign, codenamed Beamglea, involving 175 malicious npm packages that have collectively amassed over 26,000 downloads. This campaign represents a novel exploitation of the npm public registry and the unpkg.com CDN, aiming to redirect users to credential-harvesting sites targeting more than 135 industrial, technology, and energy companies worldwide.
The Nature of the Threat
Unlike traditional malware, these malicious packages do not execute harmful code upon installation. Instead, they leverage the npm ecosystem as a free hosting platform for phishing operations. The packages, named following the pattern redirect-[a-z0-9]{6}, are unlikely to be installed accidentally by developers due to their randomized names. However, their substantial download counts suggest that security researchers, automated scanners, and CDN infrastructures have been analyzing these packages post-disclosure.
Discovery and Analysis
The campaign was initially identified by Paul McCarty at Safety on September 24, 2025, and further analyzed by Socket.dev analysts. Their routine scanning operations revealed that most packages associated with this campaign remained active at the time of discovery, prompting immediate action to petition for their removal from the npm registry and the suspension of the threat actors’ accounts.
Technical Sophistication
The threat actors behind Beamglea developed comprehensive Python tooling to automate the entire campaign. This automation enabled the creation of victim-specific HTML phishing lures themed as purchase orders and project documents. The core automation process involved several steps:
1. npm Authentication Verification: Ensuring access to the npm registry.
2. Template Processing: Utilizing a JavaScript template file named beamglea_template.js.
3. Package Creation: Generating unique package names with a six-character suffix of lowercase letters and numbers, following the redirect- prefix pattern.
4. Publication: Uploading the malicious packages to the npm registry.
5. HTML Lure Generation: Creating phishing pages that pre-fill login forms with the victim’s email address, enhancing the appearance of legitimacy.
The JavaScript payload embedded in each package contains a function that appends the victim’s email as a URL fragment. This technique exploits the fact that fragments appear after the # symbol and do not appear in standard server access logs, making the phishing attempts more covert.
Implications and Recommendations
The Beamglea campaign underscores the evolving nature of supply chain attacks and the need for heightened vigilance within the developer community. Organizations are urged to implement robust security measures, including:
– Regular Audits: Conducting thorough reviews of all third-party packages and dependencies.
– Monitoring: Keeping an eye on unusual package names or patterns that may indicate malicious intent.
– Education: Training developers to recognize and avoid potential phishing attempts.
By staying informed and proactive, the tech industry can better defend against such sophisticated supply chain attacks.
