Cybersecurity researchers have disclosed details of what has been described as a "sustained and targeted" spear-phishing campaign that has published over two dozen packages to the npm registry to facilitate credential theft.
The activity, which involved uploading 27 npm packages from six different npm aliases, has primarily targeted sales and commercial personnel at critical infrastructure-adjacent organizations in the U.S. and Allied nations, according to Socket.
"A five-month operation turned 27 npm packages into durable hosting for browser-run lures that mimic document-sharing portals and Microsoft sign-in, targeting 25 organizations across manufacturing, industrial automation, plastics, and healthcare for credential theft," researchers Nicholas Anderson and Kirill Boychenko said.
The names of the packages are listed below -
- adril7123
- ardril712
- arrdril712
- androidvoues
- assetslush
- axerification
- erification
- erificatsion
- errification
- eruification
- hgfiuythdjfhgff
- homiersla
- houimlogs22
- iuythdjfghgff
- iuythdjfhgff
- iuythdjfhgffdf
- iuythdjfhgffs
- iuythdjfhgffyg
- jwoiesk11
- modules9382
- onedrive-verification
- sarrdril712
- scriptstierium11
- secure-docs-app
- sync365
- ttetrification
- vampuleerl
Rather than requiring users to install the packages, the end goal of the campaign is to repurpose npm and package content delivery networks (CDNs) as hosting infrastructure, using them to deliver client-side HTML and JavaScript lures impersonating secure document-sharing that are embedded directly in phishing pages, following which victims are redirected to Microsoft sign-in pages with the email address pre-filled in the form.