NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms

Threat actors used automation to create over 175 malicious NPM packages targeting more than 135 organizations. The post NPM Infrastructure Abused in Phishing Campaign Aimed at Industrial and Electronics Firms appeared first on SecurityWeek.

Threat actors are abusing legitimate NPM infrastructure in a new phishing campaign that breaks from the typical supply chain attack pattern.

Recent attacks targeting the NPM ecosystem have relied on malicious code injected in packages to infect developers and their users, and to add worm-like behavior.

As part of the newly identified campaign, dubbed Beamglea, the malicious packages do not execute code, but abuse the legitimate CDN service unpkg[.]com to serve phishing pages to unsuspecting users.

In late September, Safety security researcher Paul McCarty identified 120 packages used in these attacks. Now, their number has topped 175, cybersecurity firm Socket says.

The packages target more than 135 organizations in the energy, industrial equipment, and technology sectors, and have collectively accumulated over 26,000 downloads, although many of these come from security researchers, automated scanners, and analysis tools.

The packages, Socket explains, have names containing random six-character strings and following the pattern ‘redirect-[a-z0-9]{6}’. Once they were published to NPM, unpkg.com made them available via HTTPS CDN URLs.

“Threat actors may distribute HTML files themed as purchase orders and project documents to targeted victims. While the exact distribution method is unclear, the business document themes and victim-specific customization suggest email attachment or phishing link delivery,” Socket notes.

As soon as the victim opens the HTML file, malicious JavaScript code within these packages is loaded in the browser, from the unpkg.com CDN, and the victim is redirected to a phishing page where they are prompted to enter their credentials.

Socket also discovered that the threat actor used Python tooling to automate the campaign: the process checks if the victim is logged in, prompts for their credentials, injects the email and a phishing URL in a JavaScript template file (beamglea_template.js), generates a package.json, publishes it as a public package, and generates the HTML file with the unpkg.com CDN reference to the package.

“This automation enabled the threat actors to create 175 unique packages targeting different organizations without manual intervention for each victim,” Socket notes.

The threat actors have generated over 630 HTML files directing to these packages, all of which have the campaign identifier nb830r6x in their meta tag. The files mimic purchase orders, technical specifications documents, and project documents.

“When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim’s email address via URL fragment. The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them,” Socket notes.

Targeted organizations include Algodue, ArcelorMittal, Demag Cranes, D-Link, H2 Systems, Moxa, Piusi, Renishaw, Sasol, Stratasys, and ThyssenKrupp Nucera. The attacks mainly focused on Western European countries, with additional targets identified in the Northern Europe and Asia Pacific regions.

According to cybersecurity firm Snyk, additional packages that use the “mad-*” naming scheme appear to engage in similar behavior, albeit they have not been yet associated with this campaign.

“This package contains a fake ‘Cloudflare Security Check’ page that covertly redirects users to an attacker-controlled URL fetched from a remote GitHub-hosted file. It includes common anti-analysis logic that blocks inspection shortcuts and attempts to redirect the top window (frame-busting) after a fake verification checkbox is clicked,” Snyk notes.

Latest News

Publisher