Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Alerts

npm Phishing Emails Target Developer Logins

July 23, 2025
Reading Time: 3 mins read
in Alerts
Lumma Stealer Returns with New Tactics

A highly sophisticated phishing campaign has been uncovered, specifically targeting Node.js developers through an elaborate impersonation of the official npm package registry. This operation leverages the subtly altered domain npnjs.com, cleverly substituting the letter “m” with “n” to create a near-perfect replica of the legitimate npmjs.com website. This level of detail in typosquatting highlights a growing trend in supply chain attacks, where cybercriminals are shifting their focus to compromising high-value developer accounts.

The ultimate goal is to potentially infect millions of downstream projects by gaining unauthorized access to the accounts of package maintainers with significant reach within the development community.

The attack initiates with a meticulously crafted phishing email that spoofs the trusted support@npmjs.org address. To enhance its credibility and track potential victims, the email incorporates tokenized URLs. These tokens are designed not only to monitor user clicks but also to potentially pre-fill authentication data, making the fake login process appear even more seamless and legitimate. The strategic targeting is evident, as attackers appear to be specifically hunting for package maintainers responsible for widely used software. One identified target, for instance, maintains packages that collectively receive an astounding 34 million weekly downloads, underscoring the potential for widespread impact if their account were to be compromised.

Adding to the deception, the phishing email ingeniously includes legitimate support links that direct users to the actual npmjs.com website. This clever tactic bolsters the credibility of the fraudulent email, lulling recipients into a false sense of security before directing their login attempts to the malicious proxy site. Researchers at Socket.dev were instrumental in uncovering this campaign, identifying multiple technical indicators that ultimately exposed the attack’s underlying infrastructure.

Their vigilant analysis provided crucial insights into how the campaign was orchestrated and the mechanisms it employed to trick developers.

Further investigation into the technical infrastructure revealed a carefully orchestrated campaign designed for maximum credential harvesting while attempting to evade detection. The phishing emails were traced back to the IP address 45.9.148.108, hosted by Nice IT Customers Network via shosting-s0-n1.nicevps.net. This particular infrastructure has a problematic history, accumulating 27 abuse reports on AbuseIPDB and flagged as malicious by both VirusTotal and Criminal IP security databases, indicating a pattern of suspicious activity associated with this network. This history provides strong evidence of the malicious intent behind the campaign.

The comprehensive technical analysis further confirmed the fraudulent nature of the emails. Crucially, authentication mechanisms such as SPF, DKIM, and DMARC all failed validation, definitively proving that the emails did not originate from npm’s legitimate servers. The malicious domain, npnjs.com, operates as a full proxy of the genuine npm website. This sophisticated setup allows it to seamlessly replicate the entire user interface, making it virtually indistinguishable from the real site. However, its primary function is to intercept login credentials through cleverly disguised, fake authentication pages, accessible at https://npnjs.com/login, each embedded with unique tracking tokens to monitor victims.

Reference:

  • npm Phishing Emails Aim to Steal Login Credentials with Credential-Harvesting Tactics
Tags: Cyber AlertsCyber Alerts 2025CyberattackCybersecurityJuly 2025
ADVERTISEMENT

Related Posts

Phishing Targets Belgian Grand Prix Fans

Gaming Mouse Software Spreads Xred Malware

July 29, 2025
Phishing Targets Belgian Grand Prix Fans

Phishing Targets Belgian Grand Prix Fans

July 29, 2025
Phishing Targets Belgian Grand Prix Fans

macOS Flaw Bypasses TCC, Exposes Data

July 29, 2025
Scattered Spider Hits ESXi Servers

Scattered Spider Hits ESXi Servers

July 28, 2025
Scattered Spider Hits ESXi Servers

Malware Hides in Fake Dating Apps

July 28, 2025
Scattered Spider Hits ESXi Servers

Post SMTP Bug Exposes 200K Sites

July 28, 2025

Latest Alerts

Phishing Targets Belgian Grand Prix Fans

Gaming Mouse Software Spreads Xred Malware

macOS Flaw Bypasses TCC, Exposes Data

Post SMTP Bug Exposes 200K Sites

Malware Hides in Fake Dating Apps

Scattered Spider Hits ESXi Servers

Subscribe to our newsletter

    Latest Incidents

    Cathay Apologizes Over Asia Miles Breach

    Pro‑Ukraine Hackers Hit Aeroflot Servers

    GitHub Outage Disrupts Global Core Services

    Cyberattack Hits French Naval Group

    Tea App Leak Exposes 13K Women Users

    Allianz Life Data Breach Hits Majority

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial