Socket\u2019s Threat Research Team has uncovered a sophisticated phishing campaign involving 175 malicious npm packages that collectively accumulated over 26,000 downloads.<\/p>\n
The campaign, dubbed \u201cBeamglea\u201d based on consistent artifacts across all packages, represents a novel abuse of npm\u2019s public registry and the unpkg.com CDN to host redirect scripts targeting 135+ industrial, technology, and energy companies worldwide.<\/p>\n
The packages themselves don\u2019t execute malicious code during installation, making them particularly insidious as they exploit the npm ecosystem as free hosting infrastructure for credential harvesting operations.<\/p>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiW8Q98FyxaVxeqN6cSTVm9ap_PsUL0XTu8r0yd-6Iv0KJ-4fueadEWjHz9GPD-bBthZcwThjXz7R31lb7AmTwvGW6lJVWrIegMKSKWdlawVi5L0QS9lV4jE6KyG4tLj43eY2L9PVpWLIOhPiJehZVT3zhEg6IgcW3DFPLatPt3YZMwb8t58QdsVhbj-Pw\/s16000\/Credential%2520phishing%2520pages%2520%28Source%2520-%2520Socket.dev%29.webp?ssl=1\")
While the packages\u2019 randomized names following the pattern redirect-[a-z0-9]{6} make accidental developer installation unlikely, the substantial download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure.<\/p>\n
The threat actors developed comprehensive Python tooling to automate the entire campaign, enabling them to create victim-specific HTML phishing lures themed as purchase orders and project documents.<\/p>\n
The origin and meaning of \u201cbeamglea\u201d remains unclear, though it may represent a codename or inside reference used by the attackers.<\/p>\n
Socket.dev analysts identified<\/a> the campaign as part of their routine scanning operations, building on initial findings by Paul McCarty at Safety who first discovered the phishing infrastructure on September 24, 2025.<\/p>\n The researchers noted that most packages associated with this campaign remain live at the time of writing, prompting immediate petitions for their removal from the npm registry alongside suspension of the threat actors\u2019 accounts.<\/p>\n The campaign demonstrates remarkable sophistication in its technical implementation, representing a concerning evolution in supply chain abuse techniques.<\/p>\n Prior to this disclosure, the term \u201cbeamglea\u201d had virtually no online presence, making it an effective tracking identifier for this specific operation targeting organizations across multiple critical infrastructure sectors.<\/p>\n The threat actors developed sophisticated Python automation to streamline their operations, utilizing redirect_generator.py scripts and PyInstaller-compiled executables for ease of deployment.<\/p>\n The automation process demonstrates professional-level operational security planning and systematic victim targeting capabilities.<\/p>\n The core automation takes three inputs: a JavaScript<\/a> template file named beamglea_template.js, the victim\u2019s email address, and the destination phishing URL.<\/p>\n The system then processes these components through a five-step workflow that begins with npm authentication<\/a> verification and proceeds through template processing, package creation, publication, and HTML lure generation.<\/p>\n The random package name generation function creates unique identifiers using a six-character suffix of lowercase letters and numbers, ensuring each campaign<\/a> remains distinct while following the recognizable redirect- prefix pattern.<\/p>\n The JavaScript payload embedded in each package remains remarkably simple yet effective. Each beamglea.js file contains a processAndRedirect() function that appends the victim\u2019s email as a URL fragment, leveraging the fact that fragments appear after the # symbol and don\u2019t appear in standard server access logs.<\/p>\n This technique creates an appearance of legitimacy when phishing pages pre-fill login forms with the victim\u2019s email address.<\/p>\n The automation generates HTML lures<\/a> with specific business document themes designed to bypass suspicion, utilizing filenames that mimic legitimate purchase orders, technical specifications, and project documents.<\/p>\n All HTML files contain the campaign identifier nb830r6x in their meta tags, providing consistent tracking across the 630+ generated lures distributed across the 175 packages.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post 175 Malicious npm Packages With 26,000 Downloads Attacking Technology, and Energy Companies Worldwide<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nAutomated Package Generation Infrastructure<\/strong><\/h2>\n
def generate_random_package_name(prefix=\"redirect-\"):\n # Generates random 6-character suffix\n suffix = ''.join(random.choices(string.ascii_lowercase + string. Digits, k=6))\n return prefix + suffix\n\n# Template processing replaces placeholders with victim-specific data\ntemplate_js = load_template('beamglea_template.js')\nfinal_js = template_js.replace(\"{{EMAIL}}\", email).replace(\"{{URL}}\", redirect_url)\nwith open(\"beamglea.js\", \"w\", encoding=\"utf-8\") as f:\n f.write(final_js)<\/code><\/pre>\n