27 Malicious npm Packages Turn Dev Ecosystem Into Phishing Playground in 2025
Executive Summary
In late 2025, security researchers uncovered a sophisticated supply chain attack leveraging the npm package ecosystem to execute a targeted spear-phishing campaign. Over a five-month period, attackers published 27 malicious npm packages via six aliases, using content delivery networks to host and serve browser-based phishing lures. These lures mimicked document-sharing and Microsoft sign-in portals to trick targeted sales and commercial staff at 25 organizations across manufacturing, industrial automation, healthcare, and allied sectors in the US and Europe. The campaign incorporated advanced anti-analysis checks, obfuscated JavaScript, and honeypot detection to evade security tooling, with hardcoded targets likely sourced from trade show and open-sourced company data.
This incident exemplifies the growing abuse of public developer ecosystems and infrastructure in credential theft operations, highlighting an urgent need for organizations to monitor software supply chains and enforce modern, phishing-resistant controls. Attackers' use of legitimate distribution services as resilient hosting and focus on regional, non-IT staff illustrate shifting tactics in supply chain and social engineering threats.
Why This Matters Now
Malicious use of open-source package repositories to facilitate advanced phishing campaigns is on the rise, exposing organizations to hard-to-detect credential theft. With attackers adapting quickly and targeting non-technical staff, urgent action is required to harden software supply chains, enforce zero trust controls, and monitor atypical CDN activity.
Attack Path Analysis
Attackers initiated compromise by uploading malicious npm packages that masqueraded as legitimate libraries and delivered phishing HTML/JS payloads via trusted CDNs to targeted end users. They leveraged user interaction and masqueraded document-sharing portals to coax users into submitting credentials, but did not require overt privilege escalation since the goal was credential theft at the initial point of contact. Lateral movement was minimized but may have involved reuse of compromised credentials to access organizational cloud or SaaS assets tied to targeted individuals. Command and control was achieved via outbound connections to attacker-controlled infrastructure, leveraging evasion and anti-analysis features. Exfiltration occurred through browser-driven submission of credentials directly to attacker infrastructure. The campaign sought business impact by stealthily harvesting credentials and potentially enabling targeted follow-on attacks, with minimal direct disruption or damage to victim environments.
Kill Chain Progression
Initial Compromise
Description
Malicious npm packages were published and distributed via trusted CDNs, leading targeted users to phishing pages designed to steal credentials.
Related CVEs
CVE-2025-59145
CVSS 8.8The npm package 'color-name' version 2.0.1 was compromised to include malware that attempts to redirect cryptocurrency transactions to the attacker's addresses in browser environments.
Affected Products:
colorjs color-name – 2.0.1
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Supply Chain Compromise: Compromise of Software Dependencies and Development Tools
Phishing: Spearphishing via Service
Compromise Infrastructure: Code Repository
Web Service: Content Delivery Network
User Execution: Malicious Link
Input Capture: Keylogging
PowerShell
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Verify Integrity of Software and Code
Control ID: 6.3.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Third-Party Risk Management
Control ID: Art. 6(9)
NIS2 Directive – Supply Chain Security
Control ID: Art. 21(2)(e)
CISA Zero Trust Maturity Model (ZTMM) 2.0 – Phishing-resistant Multi-Factor Authentication
Control ID: Identity Pillar - Authentication
GDPR – Security of Processing
Control ID: Art. 32
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Supply chain attacks via malicious npm packages directly target software development workflows, requiring enhanced dependency verification and egress security controls.
Health Care / Life Sciences
Targeted spear-phishing campaign specifically mentions healthcare sectors, threatening HIPAA compliance and requiring zero trust segmentation for credential protection.
Industrial Automation
Campaign explicitly targets industrial automation personnel with credential theft lures, exposing critical infrastructure to lateral movement and operational disruption.
Plastics
Threat actors specifically target plastics and polymer supply chain professionals through sophisticated phishing infrastructure, compromising commercial operations and data.
Sources
- 27 Malicious npm Packages Used as Phishing Infrastructure to Steal Login Credentialshttps://thehackernews.com/2025/12/27-malicious-npm-packages-used-as.htmlVerified
- Global Analysis of Adversary-in-the-Middle Phishing Threatshttps://blog.sekoia.io/global-analysis-of-adversary-in-the-middle-phishing-threats/Verified
- Infoblox Uncovers MFA-Bypassing 'Evilginx' Phishing Operation Targeting U.S. Universitieshttps://www.securityinfowatch.com/cybersecurity/news/55337620/infoblox-uncovers-mfa-bypassing-evilginx-phishing-operation-targeting-us-universitiesVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust controls like microsegmentation, network visibility, strong egress policy enforcement, and anomaly detection could have disrupted attacker delivery, prevented credential reuse, and detected unauthorized exfiltration or anomalous outbound traffic, limiting lateral movement and credential theft.
Control: Cloud Firewall (ACF)
Mitigation: Outbound access to known phishing infrastructure can be blocked or alerted.
Control: Zero Trust Segmentation
Mitigation: Limits compromised credential usefulness through strict application and network segmentation.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized internal movement from compromised accounts and enforces least privilege.
Control: Inline IPS (Suricata)
Mitigation: Detects and blocks malicious or suspicious outbound patterns and C2 callbacks.
Control: Egress Security & Policy Enforcement
Mitigation: Prevents data exfiltration to untrusted web domains.
Alerts and enables rapid incident response to anomalous credential use.
Impact at a Glance
Affected Business Functions
- Sales
- Commercial Operations
- Manufacturing
- Healthcare Services
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive sales and commercial data, including client information and proprietary documents, due to credential theft facilitated by malicious npm packages.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict egress filtering and domain allowlisting to prevent access to malicious infrastructures via CDN or third-party sources.
- • Deploy microsegmentation and identity-based network policies to restrict internal access using compromised credentials and minimize lateral movement.
- • Integrate inline threat inspection (IPS) to detect and block known phishing artifacts and C2 channels in real time.
- • Implement continuous anomaly detection and centralized cloud/network visibility to rapidly identify suspicious authentication and exfiltration events.
- • Mandate zero trust access controls and least privilege policies for all user roles, especially those with access to sensitive SaaS and cloud assets.
