175 Malicious npm Packages Targeting Global Tech and Energy Firms

Socket's Threat Research Team has identified a sophisticated phishing campaign involving 175 malicious npm packages, which have collectively been downloaded over 26,000 times.

Named 'Beamglea' due to consistent artifacts across all packages, the campaign represents a novel abuse of npm's public registry and the unpkg.com CDN to host redirect scripts targeting over 135 industrial, technology, and energy companies worldwide.

The packages do not execute malicious code during installation, making them particularly insidious as they exploit the npm ecosystem as free hosting infrastructure for credential harvesting operations.

While the packages' randomized names follow the pattern redirect-[a-z0-9]{6}, making accidental developer installation unlikely, the substantial download counts likely include security researchers, automated scanners, and CDN infrastructure analyzing the packages post-disclosure.

The threat actors developed comprehensive Python tooling to automate the campaign, creating victim-specific HTML phishing lures themed as purchase orders and project documents.

The origin and meaning of 'beamglea' remain unclear, though it may represent a codename or insider reference used by the attackers.

Socket.dev analysts identified the campaign during routine scanning operations, building on initial findings by Paul McCarty at Safety, who first discovered the phishing infrastructure on September 24, 2025.

Researchers noted that most packages associated with this campaign remain live at the time of writing, prompting immediate petitions for their removal from the npm registry and suspension of the threat actors' accounts.

The campaign demonstrates remarkable sophistication in its technical implementation, representing a concerning evolution in supply chain abuse techniques.