Beamglea Campaign Targets Tech and Energy Firms with Malicious npm Packages

Published 2025-10-12 18:34:53 | www.esecurityplanet.com
Npm Phishing Cybersecurity Supply Chain Malware Sector: Technology, Energy Region: Europe, APAC

🎙️ Paranoid Newscast

🎭
Credibility
70%
📊
Risk Score
64%
🎲
Likelihood
8/10
💥
Impact
8/10
🛡️
Priority
4/5
The Beamglea campaign has exploited 175 malicious npm packages to conduct phishing attacks, primarily targeting tech and energy firms across Europe and APAC. Researchers discovered that these packages, which have over 26,000 downloads, redirect users to phishing sites designed to steal credentials.

The Beamglea campaign used 175 malicious npm packages to host phishing redirects, targeting global tech and energy firms. Socket security researchers discovered a large-scale phishing campaign that abused the npm registry and unpkg CDN, using 175 malicious packages with more than 26,000 downloads to steal credentials. The campaign, which researchers dubbed Beamglea, primarily targeted more than 135 industrial, technology, and energy firms across Europe and APAC. Researchers said, “The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector.” This is not the first time npm packages have been used in an attack. Because the packages are inert during npm install, traditional supply-chain controls (e.g., build-time malware scans) may not trigger. Instead, adversaries leveraged trusted delivery (unpkg over HTTPS) to load JavaScript that silently redirects users to bespoke phishing portals, often pre-filled with the victim’s email via URL fragments, which evades basic server-side logging. Beamglea comprises 175 packages published across nine npm accounts. Each follows a redirect-[a-z0-9]{6} naming pattern and references a simple payload, beamglea.js, that appends the victim’s email to a phishing URL as a fragment (e.g., #) before redirecting. Socket researchers identified 630+ themed HTML lures, including purchase orders, technical specs, and project docs, that load these scripts from unpkg. The meta tag value nb830r6x also appears across artifacts, which helped the researchers track the campaign. The Socket team has contacted npm to request that the packages from this campaign be removed. Threat actors automated end-to-end package generation with Python tooling that verifies npm login, templatizes victim-specific JavaScript, publishes the package, and emits an HTML lure pointing at unpkg.com/@/beamglea.js. When opened, the lure redirects to one of several phishing domains (e.g., cfn.jackpotmastersdanske[.]com) and pre-fills credentials. Some URLs include Base64 parameters indicating Office 365 “no-MFA” targeting (e.g., sv=o365_1_nom), which could indicate the threat actors plan to use the infrastructure for future business email compromise (BEC) attacks. The technique exploits trust in widely used developer CDNs without requiring package execution on developer machines. To reduce exposure to malicious or compromised npm packages, organizations should adopt a layered defense strategy that combines technical controls, secure development practices, and continuous monitoring. Together, these measures help organizations safeguard their software supply chain, reducing the risk of compromise through malicious or tampered npm packages. Beamglea marks a shift from malicious installs to the use of public registries and CDNs as trusted infrastructure for phishing. As attacks like Beamglea blur the line between trusted tools and threat infrastructure, strengthening overall software supply chain security has never been more critical.