Cybersecurity experts have uncovered a targeted spear-phishing campaign using malicious npm packages to facilitate credential theft across critical infrastructure sectors. Attackers leveraged package hosting for resilient, embedded phishing elements that mimic secure document-sharing platforms, with a focus on organizations in manufacturing, healthcare, and industrial automation. #Evilginx #npmsecurity
Keypoints
- A sophisticated spear-phishing campaign used 27 malicious npm packages from six aliases to target organizations in critical sectors.
- The packages host browser-based lures that mimic document-sharing portals and Microsoft sign-in pages to steal credentials.
- Attacks utilize obfuscated JavaScript, bot evasion checks, honeypot fields, and multi-layered anti-analysis techniques to evade detection.
- The campaigns’ infrastructure overlaps with AitM phishing operations linked to Evilginx, indicating sophisticated threat actor capabilities.
- Countermeasures include enhanced dependency verification, monitoring CDN requests, enforcing MFA, and analyzing suspicious post-authentication activity.
Read More: https://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.html