Manufacturing, industrial automation, healthcare, and plastics organizations in the U.S. and other Allied nations have had their sales and commercial personnel's credentials targeted in a spear-phishing campaign involving 27 malicious npm packages for at least five months, according to The Hacker News.
All of the nefarious packages, which were published under six various npm aliases, have been used as hosting infrastructure to distribute client-side HTML and JavaScript lures that redirect targets to fraudulent Microsoft sign-in pages with pre-filled email addresses, an analysis from Socket revealed.
Multiple anti-analysis checks, including bot filtering, sandbox evasion, and mouse or touch input requirements, have also been implemented by the packages for clandestine compromise.
Such an intrusion campaign was noted by Socket researchers to be similar to the Beamglea campaign that facilitated credential harvesting through 175 nefarious packages.
"This campaign follows the same core playbook, but with different delivery mechanics. Instead of shipping minimal redirect scripts, these packages deliver a self-contained, browser-executed phishing flow as an embedded HTML and JavaScript bundle that runs when loaded in a page context," researchers added.
All of the nefarious packages, which were published under six various npm aliases, have been used as hosting infrastructure to distribute client-side HTML and JavaScript lures that redirect targets to fraudulent Microsoft sign-in pages with pre-filled email addresses, an analysis from Socket revealed.
Multiple anti-analysis checks, including bot filtering, sandbox evasion, and mouse or touch input requirements, have also been implemented by the packages for clandestine compromise.
Such an intrusion campaign was noted by Socket researchers to be similar to the Beamglea campaign that facilitated credential harvesting through 175 nefarious packages.
"This campaign follows the same core playbook, but with different delivery mechanics. Instead of shipping minimal redirect scripts, these packages deliver a self-contained, browser-executed phishing flow as an embedded HTML and JavaScript bundle that runs when loaded in a page context," researchers added.




