Ddos 
The phishing flow first presents a fake “MicroSecure” document-sharing verification page | Image: Socket
A new investigation by The Socket Threat Research Team has uncovered a sophisticated spear-phishing operation that has abused the npm registry for at least five months to target critical infrastructure sectors in the US and its allied nations.
The campaign marks a disturbing evolution in supply chain abuse. Rather than slipping malware into developer tools, these threat actors are using npm packages as free, high-reputation hosting for targeted phishing pages designed to steal Microsoft credentials.
The attack is surgically precise. Researchers identified 27 malicious npm packages published under six different aliases. These packages, such as the still-active adril7123, are not meant to be installed by developers. Instead, they act as “browser-executed phishing components” served via Content Delivery Networks (CDNs).
“This operation repurposes npm and package CDNs into durable hosting infrastructure, delivering client-side HTML and JavaScript lures that the threat actor embeds directly in phishing pages,” the report explains.
When a victim visits the malicious link, the package code wipes the legitimate page content and replaces it with a high-fidelity lure. The first stage masquerades as a “MicroSecure” document-sharing service, claiming to host sensitive business files like RFQs or layout drawings.
“The phishing flow first presents a fake ‘MicroSecure’ document-sharing verification page that references RFQ-style content, then switches to a Microsoft-branded sign-in prompt,” the researchers noted.
Unlike broad spam campaigns, this operation is intensely focused. The attackers are not hunting IT admins; they are hunting the people who are paid to open unsolicited emails: sales and commercial personnel.
“The campaign is highly-targeted, focusing on sales and commercial personnel at critical infrastructure-adjacent organizations in the United States and allied nations,” the report states.
Socket identified 25 distinct targets across sectors including manufacturing, industrial automation, plastics, and healthcare. The attackers appear to have done their homework, likely scraping attendee lists from major international trade shows like Interpack and K-Fair.
“A plausible hypothesis is that the threat actor used these sources to identify sales contacts, then tailored RFQ-themed lures around a workflow where sales teams routinely expect unsolicited outreach,” the analysts hypothesized.
To prevent security bots and automated scanners from detecting the phishing page, the script employs “lightweight client-side checks.” It looks for signs of automation—such as a lack of mouse movement or specific screen dimensions—and locks the “Verify” button until it confirms a human is at the helm.
Furthermore, the attackers deploy “honeypot form fields”—invisible text boxes that only bots would see. “Real users never see or complete this field, but automated form fillers often populate it,” the report explains. If the honeypot is filled, the attack aborts immediately.
Once the victim is tricked into entering their credentials, the attack pivots to a sophisticated Adversary-in-the-Middle (AiTM) phase. The captured data is sent to infrastructure that overlaps with Evilginx patterns, a tool kit capable of bypassing Multi-Factor Authentication (MFA).
“In AiTM scenarios, this handoff infrastructure can do more than collect passwords by brokering the session through a threat actor-controlled proxy and enabling theft of session cookies or tokens,” the report warns.
By hosting their lures on trusted CDNs, attackers bypass traditional domain blocklists. Socket has reported the malicious packages to the npm security team and notified the targeted organizations.
Related Posts:
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- KimJongRAT Returns: New PE & PowerShell Variants Steal Crypto and Browser Data via CDNs
- Malicious npm Packages Backdoor Telegram Bot Developers
- Exploiting CDN Integrations: A WAF Bypass Threatening Global Web Applications
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
