While developers are still relying on open-source libraries such as npm to save programming time, cybercriminals are finding new ways to turn the platform itself into a phishing delivery infrastructure. A sophisticated operation called Beamglea has just been discovered by cybersecurity researchers, showing that 175 malicious npm packages have been used in support of a global campaign to steal Microsoft accounts.

According to reports, these malicious npm packages have been downloaded over 26,000 times and are largely checked by security analysts, automated scanners, or CDNs after warnings have been issued. Worryingly, however, is that these packages do not work in the “traditional” way of malicious code, they do not attack when installed, but take advantage of the legitimate infrastructure of npm and UNPKG (a public CDN service) to store and redirect victims to the scam site.

The campaign targets over 135 companies in the global industry, technology and energy sectors. Researcher Kush Pandya said: “Npm is being turned into an infrastructure that inadvertently serves cybercriminals rather than direct attack tools.”

The npm packages in the Beamglea campaign are automatically generated using a Python code called “redirect_generator.py”. The script creates random packages called “redirect-xxxxxx”, which then insert the victim’s email address and phishing site link in the source code.

When this package is published to npm, it will generate an HTML file containing a link to malicious JavaScript code stored on the CDN of unpkg.com (e.g. Unpkg.com/redirect-xs13nr@1.0.0/beamglea.js). When the recipient opens this HTML file in a browser, JavaScript automatically redirects them to a fake Microsoft login page.

The trick is that the victim’s email is pre-filled on the URL, causing the login field in a phishing site to be automatically filled out, which feels like a legitimate login portal that the user once accessed. It is this factor that greatly reduces suspicion and increases the success rate of the attack.

The HTML files are heavily disguised, carrying the names of orders, technical documents, collaborative projects, etc., making it easy for the victim to believe that this is an internal file to view. Socket reportedly found over 630 such HTML files in the npm packages being used.

The danger with Beamglea is that cybercriminals don’t need to build their own servers or hire malicious services. They rely on trusted infrastructure such as npm and UNPKG to distribute their content. This would be:

• Free to use: Because npm and UNPKG are public services.
• Difficult to block: Because it’s in a legal infrastructure, it can’t be completely banned.
• Hard to detect: The npm package does not contain direct malicious code when installed.

In other words, Beamglea turned npm into a “free server for phishing”, a dangerous trend as it paved the way for other hacker groups to re-use the model.

The campaign shows the hacker’s creativity in leveraging legitimate tools. Instead of a frontal assault, they’re cloaked in legal process, making automated testing difficult to detect. This is not the fault of npm, but rather the problem in package management and monitoring of the open source infrastructure, which is increasingly being abused for indirect attack campaigns.

To avoid becoming a victim or being used in a similar attack sequence, experts recommend:

• Do not open unfamiliar HTML files sent via email, especially those whose names relate to “order” or “technical document”.
• Programmers need to check the npm packages carefully before using them, avoiding installations from unclear or randomly named sources.
• Businesses should monitor CDN traffic and block unusual requests for unpkg.com or similar domains.
• Provide employees with phishing detection training, especially in industries that are easily targeted.

Operation Beamglea showed that cybercriminals were constantly adapting, not creating new tools but simply reusing existing legal platforms. In the era of open source and cloud computing, the barrier between “good infrastructure” and “network weapons” is more fragile than ever. Users and businesses need to understand that cyber security lies not just in blocking malicious code, but in understanding how the bad guys are taking advantage of what we believe. A click might seem harmless, but it could be the beginning of a global offensive.