Npm Registry Weaponized in Spearphishing Campaign Against Critical Infrastructure

The Socket Threat Research Team has identified a sophisticated, five-month-long spearphishing operation that leverages the npm registry as hosting infrastructure for malicious lures. This campaign targeted 25 organizations across the manufacturing, industrial automation, and healthcare sectors, primarily in the United States and allied nations. By utilizing the npm ecosystem as a Content Delivery Network (CDN), threat actors have successfully bypassed traditional email security barriers to deliver high-fidelity phishing components.

Unlike typical supply chain attacks that target developers at the installation phase, this operation utilizes npm to host browser-executed lures that impersonate Microsoft sign-in pages and secure document-sharing portals. The campaign appears highly curated, targeting commercial-facing personnel who routinely handle unsolicited Requests for Quotation (RFQs) and technical drawings.

Analysis of the npm Attack Vector

The threat actor published 27 malicious packages across six distinct npm aliases. These packages do not contain functional software but instead serve as a storage mechanism for obfuscated HTML and JavaScript bundles. When a victim accesses the lure—often delivered via a targeted email—the browser fetches the package content from npm-linked CDNs (such as unpkg.com).

The script then executes a "DOM overwrite" using document.open(), document.write(), and document.close(). This process wipes the current page content and replaces it with a pixel-perfect "MicroSecure" document-sharing interface. This methodology ensures the phishing infrastructure is highly durable and benefits from the perceived legitimacy of the npm domain.

• Hosting Method: Abuse of npm registry and CDNs as secondary hosting layers.
• Persistence: High; relies on the time-to-removal of packages from public registries.
• AiTM Integration: Domains embedded in the scripts show overlap with Evilginx redirector patterns (/wlc/, /load/).
• Anti-Analysis: Implementations include navigator.webdriver checks, interaction gating (requiring mouse movement), and the blocking of right-click/clipboard actions.

Targeted Sectors and Methodology

The victims identified in this cluster are not random. The campaign focuses on individuals in sales, account management, and business development roles. These positions are strategically chosen because their workflows necessitate interaction with external attachments and links.

You may be affected if:

• Your organization operates in Manufacturing, Industrial Automation, Plastics, or Healthcare.
• Commercial-facing staff have recently received unsolicited emails regarding "MicroSecure" document shares or RFQs.
• Network logs show unusual traffic directed to unpkg.com or specific npm-related domains from non-technical departments.

This campaign is distinct from the Beamglea operation identified in October 2025. While both leveraged npm for hosting, the current cluster utilizes more complex browser-rendered flows and client-side anti-analysis controls, suggesting a different, more sophisticated adversary.

Strategic Implications for CISOs

This incident underscores an evolution in phishing delivery. By repurposing developer tools as attack infrastructure, threat actors can evade signature-based web filters that typically trust traffic from the npm registry. Furthermore, the use of Adversary-in-the-Middle (AiTM) infrastructure allows attackers to bypass standard Multi-Factor Authentication (MFA) by proxying session tokens in real-time.

IMMEDIATE ACTION:

• Credential Audit: Organizations in the affected sectors should audit Microsoft 365 logs for anomalous sign-ins, particularly those originating from redirected URLs.
• Block High-Risk CDNs: Unless required for business operations, consider blocking access to npm-related CDNs (e.g., unpkg.com) for non-technical staff.