"Specifically, the library comes fitted with a Python file named "redirect_generator.py" to programmatically create and publish an npm package with the name "redirect-xxxxxx," where "x" refers to a random alphanumeric string. The script then injects a victim's email address and custom phishing URL into the package. Once the package is live on the npm registry, the "malware" proceeds to create an HTML file with a reference to the UNPKG CDN associated with the newly published package (e.g., "unpkg[.]com/redirect-xs13nr@1.0.0/beamglea.js")."
"The packages have been collectively downloaded 26,000 times, acting as an infrastructure for a widespread phishing campaign codenamed Beamglea targeting more than 135 industrial, technology, and energy companies across the world, according to Socket. "While the packages' randomized names make accidental developer installation unlikely, the download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages after disclosure," security researcher Kush Pandya said."
An operation named Beamglea employs 175 malicious npm packages that have been downloaded about 26,000 times and target over 135 industrial, technology, and energy companies worldwide. The packages host redirect scripts on npm and unpkg.com to deliver HTML payloads that load beamglea.js from the unpkg CDN and redirect victims to Microsoft credential-harvesting pages. A Python script named redirect_generator.py programmatically creates packages named redirect-xxxxxx, injecting victim email addresses and custom phishing URLs before publishing. Once live, the packages produce HTML referencing unpkg that loads the redirect JavaScript containing victim email and target URL to capture credentials. More than 630 HTML files tied to the campaign were found.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]