Researchers uncovered a campaign that published 175+ disposable npm packages which host JavaScript on the unpkg.com CDN to redirect victims from crafted HTML “business documents” to credential-harvesting pages, impacting 135+ organizations across industry, tech, and energy in Europe. Snyk and Socket mapped clusters (redirect-* and mad-*) and analyzed a “mad-*” package that uses a fake Cloudflare verification UI, anti-analysis checks, and remote-hosted redirect URLs to prefill victim email fields. #Beamglea #unpkg
Keypoints
- Adversaries automated publication of 175+ throwaway npm packages (pattern redirect-[a-z0-9]{6}) containing beamglea.js and HTML lure files to use npm/unpkg as disposable hosting for phishing scripts.
- The attack uses the unpkg.com CDN to load malicious scripts in victims’ browsers from innocuous-looking local HTML documents rather than relying on npm install supply-chain execution.
- Phishing lures mimic invoices and business documents; when opened they load the unpkg script which immediately redirects to attacker-controlled credential-harvesting pages and passes the victim’s email via URL fragment to pre-fill forms.
- Socket disclosed initial findings (175 packages, “Beamglea” codename, 135+ impacted organizations) and Snyk identified an additional mad-* cluster that contains a fake Cloudflare security-check UI and anti-analysis measures.
- The mad-* payload uses developer-tools detection, disables right-click/F12/view-source shortcuts, and fetches a remote GitHub-hosted file containing the final redirect URL, then frame-busts/redirects the top window.
- This technique represents a novel abuse of open source hosting/CDN delivery (browser delivery path) rather than classic package-install compromise, signaling new supply-chain philanthropic vectors to monitor.
- IOCs include HTML lures referencing script tags on unpkg (redirect-@/beamglea.js), a recurring HTML meta content marker (nb830r6x), and remote GitHub raw URLs used to store redirect targets.
MITRE Techniques
- [T1584] Compromise Public-Facing Application – Attackers publish many disposable npm packages that become immediately available via the public unpkg.com CDN, turning a legitimate hosting service into a delivery channel (“As soon as a package version is public, the popular and centralized CDN resource at unpkg.com can be referenced…”).
- [T1204] User Execution – Victims open crafted HTML “business documents” which execute browser scripts from unpkg, triggering the redirect to credential-harvesting pages (“Opening them then triggers the unpkg script load.”).
- [T1531] Web Service – Abuse of a third-party web service (unpkg.com CDN and npm registry) to host and serve malicious JavaScript to victims (“the attackers leverage the browser delivery path through unpkg, turning legitimate open source hosting infrastructure into a phishing mechanism”).
- [T1078] Valid Accounts (credential harvesting enabling account access) – The campaign captures and pre-fills victims’ email addresses via URL fragment to increase success of credential collection (“the script immediately redirects to an attacker page and passes the victim’s email via URL fragment so the phishing form is pre-filled.”).
- [T1496] Resource Development – Creation of infrastructure and disposable packages (redirect-* and mad-* naming clusters) used as throwaway hosting for phishing assets (“Adversaries automated the creation of many npm packages (pattern redirect-[a-z0-9]{6}) with minimal contents: beamglea.js and HTML lure files.”).
- [T1566] Phishing – Use of crafted documents that mimic invoices and verification pages to trick users into interacting with the malicious UI and triggering redirects (“Targets receive custom HTML files (often mimicking invoices and other data). Opening them then triggers the unpkg script load.”).
- [T1621] Indicator Removal from Tools – Anti-analysis and inspection hardening to hinder investigation and debugging (disables right-click, F12, devtools shortcuts, and view-source/save; checks for devtools and blanks page if detected) (“…periodically checks for developer tools and, if detected, blanks the page or redirects. … Disables right-click, F12, common devtools shortcuts, and “view source”/“save”.”).
Indicators of Compromise
- [HTML/script tag] Victim HTML lures referencing unpkg-hosted redirectors – <script src=”https://unpkg.com/redirect-@/beamglea.js”> (seen in multiple lure files).
- [HTML meta] Lure document meta marker – name=”html-meta” content=”nb830r6x” (used across lures as a detectable tag).
- [Package names] Disposable npm package naming patterns – examples: redirect-xxxxxx (redirect-[a-z0-9]{6}) and mad-x.x.x.x.x.x (mad-* cluster identified by Snyk).
- [File names] Script and lure file names inside packages – beamglea.js, script.js, and HTML lure files (multiple package instances; “and 2 more hashes” for additional payloads).
<li}[URL/raw content] Remote GitHub raw URL hosting redirect target – example: https://raw.githubusercontent.com/Abassdos2992/truboebvitalya/refs/heads/main/mad4.txt (mad-* package fetches redirect URL from this file).
Read more: https://snyk.io/blog/phishing-campaign-leveraging-the-npm-ecosystem/