175 Malicious npm Packages Targeting Tech and Energy Firms, 26,000 Downloads

Socket’s Threat Research Team has uncovered a sprawling phishing campaign—dubbed “Beamglea”—leveraging 175 malicious npm packages that have amassed over 26,000 downloads.

These packages serve solely as hosting infrastructure, redirecting victims to credential-harvesting pages.

Though randomly named packages make accidental developer installation unlikely, the download counts reflect security researchers, automated scanners, and CDN providers probing the registry post-disclosure.

Targets include more than 135 industrial, technology, and energy companies across Western Europe, the Nordics, and Asia-Pacific.

Rather than executing code at install time, each malicious package exploits npm’s public registry and unpkg.com’s CDN to host redirect scripts.

After publishing packages named with the pattern redirect-[a-z0-9]{6}, threat actors rely on unpkg.com to automatically serve assets over HTTPS.

Victims receive HTML lures themed as purchase orders or project documents—likely via phishing emails—with embedded

Related Articles

Back to top button