A new phishing operation discovered in October 2025 reveals a disturbing evolution in supply-chain abuse within the open-source ecosystem.
Unlike traditional npm compromises designed to infect developers during package installation, this campaign weaponizes the npm registry and the trusted unpkg.com CDN to deliver credential-stealing JavaScript through crafted business-themed HTML lures.
Researchers at Socket first identified over 175 disposable npm packages, each with the naming pattern redirect-[a-z0-9]{6}, deployed as hosting containers for a phishing script dubbed beamglea.js.
The campaign, tracked under the internal codename “Beamglea,” has targeted more than 135 organizations across technology, industrial, and energy sectors, predominantly in Europe.
Snyk later discovered an additional cluster of suspicious npm packages named mad-x.x.x.x.x.x, which demonstrate a similar structure and mimicry behavior, potentially indicating a copycat expansion of the same infrastructure.
Phishing Through CDN Abuse
This campaign repurposes legitimate open-source delivery infrastructure. As soon as an npm package is published publicly, unpkg.com automatically makes its contents accessible over HTTPS. Attackers exploited this mechanism to deliver malicious JavaScript directly from a reputable origin.
A typical lure document includes a line such as
<script src=”https://unpkg.com/[email protected]/beamglea.js”></script>.
When a victim opens the HTML file, it silently loads the hosted script, which redirects to an attacker-controlled phishing page while pre-filling the victim’s email in the login form.
This technique enhances credibility while limiting forensic visibility on the attacker’s servers.
Snyk’s analysis of the mad- packages revealed a more sophisticated variant masquerading as a “Cloudflare Security Check” page.
Its script.js payload includes multiple obfuscation layers, anti-devtools detection mechanisms, event handlers that disable right-click and F12 actions, and frame-busting code to prevent easy inspection.
A fake “I am not a robot” checkbox triggers an asynchronous fetch request to a GitHub-hosted text file; if a URL is retrieved, the browser redirects to it, often landing on a phishing page impersonating enterprise SSO portals.
Indicators and Impact
Indicators of compromise include outbound connections to unpkg.com immediately followed by redirections to suspicious domains such as cfn.jackpotmastersdanske[.]com, or HTML documents containing <meta name="html-meta" content="nb830r6x">.
While this operation doesn’t inject malware into developer builds, it represents a new kind of ecosystem-level abuse, turning trusted CDNs and package hosts into deliverable infrastructure for phishing.
Security experts warn that this technique marks a broader shift toward exploiting the trust relationships between open-source registries, CDNs, and enterprise identity workflows.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
