175 npm Packages Abused in Beamglea Phishing Operation

Socket security researchers discovered a large-scale phishing campaign that abused the npm registry and unpkg CDN, using 175 malicious packages with more than 26,000 downloads to steal credentials.

The campaign, which researchers dubbed Beamglea, primarily targeted more than 135 industrial, technology, and energy firms across Europe and APAC.

Researchers said, “The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector.”

A new twist on npm abuse 

This is not the first time npm packages have been used in an attack.

Because the packages are inert during npm install, traditional supply-chain controls (e.g., build-time malware scans) may not trigger. 

Instead, adversaries leveraged trusted delivery (unpkg over HTTPS) to load JavaScript that silently redirects users to bespoke phishing portals, often pre-filled with the victim’s email via URL fragments, which evades basic server-side logging.

From package to phish

Beamglea comprises 175 packages published across nine npm accounts. Each follows a redirect-[a-z0-9]{6} naming pattern and references a simple payload, beamglea.js, that appends the victim’s email to a phishing URL as a fragment (e.g., #user@company.com) before redirecting. 

Socket researchers identified 630+ themed HTML lures, including purchase orders, technical specs, and project docs, that load these scripts from unpkg.

The meta tag value nb830r6x also appears across artifacts, which helped the researchers track the campaign. The Socket team has contacted npm to request that the packages from this campaign be removed.

Threat actors automated end-to-end package generation with Python tooling that verifies npm login, templatizes victim-specific JavaScript, publishes the package, and emits an HTML lure pointing at unpkg.com/<package>@<version>/beamglea.js. 

When opened, the lure redirects to one of several phishing domains (e.g., cfn.jackpotmastersdanske[.]com) and pre-fills credentials. 

Some URLs include Base64 parameters indicating Office 365 “no-MFA” targeting (e.g., sv=o365_1_nom), which could indicate the threat actors plan to use the infrastructure for future business email compromise (BEC) attacks.

The technique exploits trust in widely used developer CDNs without requiring package execution on developer machines.

Mitigation strategies for npm attacks

To reduce exposure to malicious or compromised npm packages, organizations should adopt a layered defense strategy that combines technical controls, secure development practices, and continuous monitoring.

• Secure dependency management: Use private registries, allowlist(ed) packages, and version pinning to control which dependencies enter your environment.
• Automate scanning and integrity checks: Run SCA tools continuously and verify package signatures or checksums to detect tampering or malicious code.
• Harden build and network environments: Isolate CI/CD pipelines, restrict outbound traffic to trusted domains, and disable risky npm install scripts.
• Educate and monitor: Train developers to vet packages carefully, watch for typosquatting or anomalies, and integrate npm events into security monitoring and incident response plans.

Together, these measures help organizations safeguard their software supply chain, reducing the risk of compromise through malicious or tampered npm packages.

Beamglea marks a shift from malicious installs to the use of public registries and CDNs as trusted infrastructure for phishing. 

As attacks like Beamglea blur the line between trusted tools and threat infrastructure, strengthening overall software supply chain security has never been more critical.