Researchers have uncovered a new and unusual credential harvesting campaign, dubbed Beamglea, that abuses the npm registry and a content delivery network (CDN) to create a robust phishing infrastructure. The campaign uses 175 malicious packages that, while unlikely to be accidentally downloaded by developers due to their randomized names, have collectively been installed around 26,000 times. These packages serve as the foundation for an elaborate phishing scheme targeting over 135 industrial, technology, and energy companies worldwide. This method highlights an evolving threat landscape where attackers are finding new ways to exploit legitimate platforms and services rather than relying on traditional attack vectors.
The threat actors behind Beamglea aren’t using the npm packages to directly infect systems with malware. Instead, they are leveraging the platform’s public registry and the unpkg.com CDN to host redirect scripts. The attackers use a Python script called ‘redirect_generator.py’ to programmatically create and publish these packages, injecting a victim’s email address and a custom phishing URL into each one. Once a package is live, the attackers create a malicious HTML file that references the new package’s URL on the UNPKG CDN. This setup allows them to host their phishing infrastructure for free, making it a highly cost-effective and resilient operation.
When a victim opens one of these specially crafted HTML files, the malicious JavaScript immediately loads from the UNPKG CDN and redirects the user to a credential harvesting page. The script automatically pre-fills the email field with the victim’s address, which was embedded in the package itself. This seemingly legitimate pre-filled login portal is a key component of the attack, as it significantly reduces suspicion and increases the likelihood that a victim will enter their credentials. Researchers found over 630 of these malicious HTML files, disguised as purchase orders, project documents, and other work-related materials.
It’s currently unclear how the attackers are distributing the HTML files, but it’s highly likely they are being spread through phishing emails. Since the packages themselves don’t contain any malicious code that executes upon installation, developers who might inadvertently download one would see no harmful behavior. The real danger lies in how the attackers are using the npm ecosystem and UNPKG to host and distribute their malicious scripts. This novel approach turns the npm registry into a silent, unwitting host for a large-scale phishing operation rather than a direct attack vector.
This campaign serves as a stark reminder of how attackers are constantly adapting their techniques to stay ahead of security defenses. By abusing legitimate, trusted infrastructure on a massive scale, the creators of Beamglea have developed a reproducible playbook that other threat actors are likely to adopt. The low cost and high resilience of this method make it an effective way to launch widespread attacks, reinforcing the need for continuous vigilance and new detection strategies to combat these ever-evolving threats.
Reference:
