1-855-263-7328
Security Portal Login
1-855-263-7328
Security Portal Login

npm Packages Became Phishing Infrastructure

This was not a malware campaign.
There were no trojans, no ransomware, no weaponized installers.

Instead, attackers turned a trusted software supply chain platform into phishing infrastructure.

A sustained campaign abused the npm ecosystem to harvest credentials, bypassing traditional malware delivery entirely. The primary targets were not developers, but sales and commercial teams inside organizations operating in critical sectors.

This incident marks a shift in how supply chain abuse is executed—and who it targets.

Executive Summary
  • 27 malicious npm packages were uploaded to the registry
  • The packages were never meant to be installed
  • npm’s CDN-backed infrastructure was used to host phishing content
  • The campaign ran for five months
  • Targets included sales, account management, and business development teams
  • No payloads were dropped; everything executed client-side in the browser

The attack surface was not code execution.
It was infrastructure trust.

The Core Problem: Trusted Platforms as Attack Infrastructure

Package registries like npm are engineered for:

  • Speed
  • Global availability
  • Reliability
  • Developer convenience

They are not engineered to function as:

  • Abuse-resistant hosting platforms
  • Phishing detection engines
  • Content moderation systems at scale

Attackers exploited this design reality.

By embedding phishing pages inside npm packages and serving them through trusted CDNs, they achieved:

  • High delivery success
  • Minimal blocking by security controls
  • Implicit trust from browsers, email gateways, and enterprise networks

npm itself was not compromised.
It was repurposed.

Why This Type of Abuse Is Increasing

Modern defensive controls have made traditional malware delivery costly and noisy.

Executable payloads are:

  • Scanned
  • Sandboxed
  • Blocked
  • Logged

Browser-based content hosted on trusted infrastructure often is not.

When platforms are:

  • Allowlisted by default
  • Widely trusted across enterprises
  • Rarely inspected at the content layer

Abuse becomes scalable.

npm’s CDN infrastructure lowered friction to almost zero.
Attackers simply stepped into the gap.

How the Campaign Worked

Threat actors published 27 npm packages using six separate aliases.

Each package contained:

  • Embedded HTML
  • Obfuscated JavaScript
  • Phishing lures designed to resemble document-sharing portals
The Attack Flow
  1. A victim clicks a link pointing to npm-hosted content
  2. The browser loads a phishing page directly from the npm CDN
  3. The page mimics a shared document or business file
  4. The victim is redirected to a Microsoft sign-in page
  5. The email address is pre-filled to increase legitimacy
  6. Credentials are harvested in real time

No installation step was required.
No malware was delivered.
Everything executed entirely in the browser.

This was phishing without payloads-and that makes detection significantly harder.

Anti-Analysis and Evasion Techniques

The campaign demonstrated deliberate effort to evade detection and analysis.

The phishing pages included:

  • Bot and sandbox detection logic
  • Interaction checks requiring mouse or touch input
  • Hidden honeypot form fields to detect crawlers
  • Heavy JavaScript obfuscation and minification

If automated tools or analysis environments were detected:

  • The phishing flow stopped
  • No credentials were requested
  • The page appeared inert

Even security tooling was treated as an adversary.

Real-World Targeting: Sales Became the Perimeter

This was not a broad, untargeted phishing campaign.

Over five months, attackers targeted 25 organizations operating in:

  • Manufacturing
  • Industrial automation
  • Plastics
  • Healthcare

The primary victims were:

  • Sales professionals
  • Account managers
  • Business development teams

Targets were distributed across:

  • North America
  • Europe
  • Allied regions in Asia

Sales teams represent a unique risk profile:

  • Frequent external communication
  • Access to sensitive pricing, contracts, and negotiations
  • Lower levels of hardened security controls compared to engineering teams

By targeting sales, attackers bypassed traditional IT and development-focused defenses.

Infrastructure and Tooling Insights

Researchers identified overlaps with adversary-in-the-middle (AitM) phishing infrastructure, including tooling consistent with Evilginx-style operations.

This campaign followed a known credential-harvesting playbook—but with a crucial change:

Delivery moved into the software supply chain.

Instead of redirect-only phishing pages, attackers delivered:

  • Fully self-contained browser-based phishing flows
  • Portable and resilient infrastructure
  • Hosting that was difficult to block without breaking legitimate developer workflows

This was phishing-as-a-service, embedded in code repositories.

Impact on Organizations

Credential theft rarely ends at login.

Once email credentials are compromised, attackers can:

  • Conduct internal phishing
  • Access sensitive communications
  • Enable fraud and invoice manipulation
  • Establish persistence

Sales and commercial teams are especially vulnerable because:

  • They operate outside hardened engineering environments
  • They interact with external parties constantly
  • Their compromise often goes unnoticed longer

From a compliance perspective, many organizations did not anticipate exposure originating from developer infrastructure impacting non-technical users.

What Security Teams Must Do Now

This incident requires a shift in perspective.

Key Actions

  • Treat package registries as infrastructure risk, not just developer tooling
  • Enforce strict dependency and artifact verification
  • Monitor CDN access patterns from non-development contexts
  • Deploy phishing-resistant MFA, especially for sales and commercial users
  • Monitor post-authentication behavior—credential theft is only the first step

Visibility must extend beyond engineering teams.

Broader Supply Chain Risk

This campaign is part of a wider trend.

Malicious packages are increasing across:

  • npm
  • PyPI
  • NuGet
  • Go modules

Some attacks trigger immediately.
Others wait.
Some erase repositories, CI outputs, or source code selectively.

Supply chain attacks are becoming:

  • More precise
  • More patient
  • More role-targeted

The objective is no longer disruption alone.
It is access and persistence.

Final Thoughts

This campaign demonstrates how trusted platforms can become attack infrastructure.

npm was not breached.
It was trusted—and that trust was exploited.

The future of phishing is low-friction, browser-based, and embedded in places defenders assume are safe.

Sales and commercial teams are now part of the attack surface.

Organizations must rethink trust, visibility, and identity controls—now, not later.

About COE Security

COE Security supports organizations across finance, healthcare, government, consulting, technology, real estate, and SaaS.

We help teams strengthen security through:

  • Email security
  • Threat detection
  • Cloud security
  • Secure development practices
  • Compliance advisory
  • Continuous security assessments focused on real risk reduction

Follow COE Security on LinkedIn to stay informed as modern threats continue to evolve.

Click to read our LinkedIn feature article