A phishing campaign targeting more than 100 companies has been abusing the npm registry and unpkg.com content delivery network (CDN) to host scripts that redirect victims to fake login pages, Socket reported Thursday.The campaign takes advantage of the legitimate unpkg service, which allows any public npm package to be served over HTTPS at an unpkg.com URL.Rather than use their own infrastructure to host the malicious JavaScript that redirects victims to their phishing sites, the attacker uploads it as a separate npm package for each personalized email attack, then sends HTML attachments that load the redirect script from unpkg.com.The campaign was first reported by Paul McCarty of Safety on Sept. 26, 2025, when 120 packages tied to the campaign were found. Socket has since identified a total of 175 packages published by nine npm accounts, along with seven command and control (C2) domains used to host phishing pages.Analysis of the packages show they are created using an automated Python-based system that takes the JavaScript template file, called beamglea_template.js, the victim’s email address and the phishing page URL as an input and automatically creates and publishes a new package containing the redirect script and HTML files referencing the unpkg.com URL for that package.The packages all follow the same naming convention of “redirect-“ followed by six random number and lowercase letters. While the packages don’t pose a direct risk to anyone who unknowingly installs them and do not execute malware, they host the resources needed for the attackers to deliver their personalized phishing lures, which use the victim’s email address to partly autofill the fake login forms. Socket found more than 630 malicious HTML files among the packages, with names mimicking business documents such as purchase orders, technical specifications and project details. Based on victim email addresses included in the packages, the campaign targeted more than 100 businesses across industries including manufacturing, technology and energy.Socket reported the packages and their author accounts to the npm security team; most of the packages listed in Socket’s blog post appeared to have been removed by npm as of Friday afternoon.The discovery of this campaign comes after GitHub announced plans to strengthen its npm publishing and authentication policies following high-profile supply chain attacks targeting the registry.In light of the campaign, Socket recommended organizations consider quarantining HTML attachments, which are frequently used in phishing attacks, as well as monitor unpkg.com requests matching the indicators of compromise (IOCs) from the recent campaign.“Add endpoint detection rules for HTML files in Downloads folders that contain unpkg.com script references, particularly those with empty titles and minimal content. Implement browser history analysis looking for sequential navigation from local HTML files to external domains with email fragments in the URL,” the Socket researchers concluded.
Phishing, Threat Intelligence, Email security, Application security
175 npm packages, unpkg CDN abused for phishing infrastructure
(Credit: Araki Illustrations – stock.adobe.com)
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds