Beamglea Phishing Campaign
Recently, cybersecurity researchers flagged a new set of 175 malicious packages on the npm registry that attackers used to facilitate credential harvesting attacks as part of an unusual campaign.
Moreover, users and automated systems downloaded the packages a total of 26,000 times, and the packages served as infrastructure for a widespread phishing campaign codenamed Beamglea that targeted more than 135 industrial, technology, and energy companies across the world, according to Socket.
“While the packages’ randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure,” security researcher Kush Pandya said.
Furthermore, researchers found the packages use npm’s public registry and unpkg.com’s CDN to host redirect scripts that route victims to credential-harvesting pages. Notably, Safety’s Paul McCarty first flagged some aspects of the campaign late last month.
How it works?
Specifically, the library includes a Python file named “redirect_generator.py” to programmatically create and publish an npm malware package with the name “redirect-xxxxxx,” where “x” refers to a random alphanumeric string. The script then injects a victim’s email address and a custom phishing URL into the package.
Once the package goes live on the npm registry, the “malware” creates an HTML file that references the UNPKG CDN associated with the newly published package (e.g., “unpkg[.]com/[email protected]/beamglea.js”). The threat actor takes advantage of this behavior to distribute HTML payloads that, when opened, load JavaScript from the UNPKG CDN and redirect the victim to Microsoft credential-harvesting pages.
The JavaScript file “beamglea.js” acts as a redirect script that includes the victim’s email address and the URL to which the victim navigates so the attackers can capture their credentials. Socket reported finding more than 630 HTML files that Masquerade as purchase orders, technical specifications, or project documents.
In other words, the attackers did not design the npm packages to execute Malicious code upon installation. Instead, the campaign Leverages npm and UNPKG to host the Phishing infrastructure. Researchers have not yet determined how the Attackers distribute the HTML files, although they may Propagate them via emails that trick recipients into opening the specially crafted HTML files.
“When victims open these HTML files in a browser, the JavaScript immediately redirects to the phishing domain while passing the victim’s email address via URL fragment,” Socket said.
“The phishing page then pre-fills the email field, creating a convincing appearance that the victim is accessing a legitimate login portal that already recognizes them. This pre-filled credential significantly increases the attack’s success rate by reducing victim suspicion.”
Overall, these findings once again highlight the Ever-evolving nature of threat actors who constantly adapt their techniques to stay ahead of defenders — and they Underscore how Attackers can abuse legitimate infrastructure at scale.
“The npm ecosystem becomes unwitting infrastructure rather than a direct attack vector,” Pandya said. “Developers who install these packages see no malicious behavior, but victims opening specially crafted HTML files are redirected to phishing sites.”
“By publishing 175 packages across 9 accounts and automating victim-specific HTML generation, the attackers created a resilient phishing infrastructure that costs nothing to host and leverages trusted CDN services. The combination of npm’s open registry, unpkg.com’s automatic serving, and minimal code creates a reproducible playbook that other threat actors will adopt.”
Source: TheHackerNews
Read more at Impreza News
