Threat actors behind the Beamglea campaign are co‑opting trusted JavaScript infrastructure—specifically the npm registry and the unpkg content delivery network—to deliver phishing pages via simple client‑side redirects. Instead of embedding malware inside packages, the adversaries publish benign‑looking modules that only perform a redirect, allowing them to blend into legitimate traffic and bypass many domain‑reputation and signature‑based defenses.
How the npm and unpkg redirect scheme enables phishing
According to researchers at Socket, any package published to npm is instantly retrievable over HTTPS from unpkg[.]com, a popular CDN for serving npm package files. Beamglea operators release series of packages following the naming pattern redirect-[a-z0-9]{6}, then distribute HTML lures masquerading as purchase orders, technical specifications, or project documentation. When a recipient opens one of these HTML files, the browser fetches JavaScript from unpkg and executes a redirect to a phishing domain.
The workflow also includes email pre‑population to increase credibility: the victim’s email address is passed in the URL fragment, and the phishing page auto‑fills the login field. Researchers have cataloged more than 630 unique HTML lure files tagged with the campaign identifier nb830r6x.
Scale, targets, and geographic footprint
Safety initially flagged 120 maliciously purposed packages in late September; Socket now tracks more than 175. Aggregate downloads have surpassed 26,000, though a portion likely reflects analyst activity and automated scanners rather than victim engagement.
Targeting spans over 135 organizations across energy, industrial, and technology sectors. Cited brands include Algodue, ArcelorMittal, Demag Cranes, D-Link, H2 Systems, Moxa, Piusi, Renishaw, Sasol, Stratasys, and ThyssenKrupp Nucera. The primary focus is Western Europe, with additional activity observed in Northern Europe and the Asia–Pacific region.
Automation that scales: package and lure generation
Beamglea relies on Python scripts to streamline operations. The tooling checks authentication state, injects the target email address and phishing URL into a JavaScript template (beamglea_template.js), builds package.json, publishes the package to npm, and generates an HTML lure that references the package via the unpkg CDN. This assembly‑line approach enables rapid release of disposable artifacts, complicating detection and blocking based on single indicators.
Related activity abusing trusted platforms
Snyk has independently observed npm packages with a mad-* prefix that exhibit similar abuse patterns. In one case, a fake “Cloudflare Security Check” silently redirects users to a URL obtained from a remote GitHub file. A direct link to Beamglea remains unconfirmed, but the techniques overlap in their use of reputable developer platforms for hosting and delivery.
Why CDN‑hosted redirectors are hard to stop
The core advantage for adversaries is cover through legitimate services. Corporate networks often allow traffic to npm and unpkg by default, and these packages contain no obvious payload—just a redirect. As a result, controls dependent on domain reputation, signatures, or traditional attachment heuristics are less effective against this class of phishing.
Defensive guidance for security and IT teams
Email and endpoint controls
– Open HTML attachments only in sandboxed or VDI environments; implement policies to block or rewrite .html attachments.
– Strengthen email authentication and filtering: enforce DMARC, SPF, and DKIM, add URL/attachment inspection, and flag content mismatches in lures (e.g., faux POs or RFPs).
Web and application security
– Enforce a strict Content Security Policy (CSP) on corporate portals and internal apps to restrict script sources to allowlisted domains; where feasible, disallow loading code from public CDNs.
Network monitoring and threat hunting
– Monitor and alert on access to unpkg[.]com with patterns such as redirect-*; incorporate campaign IoCs, including nb830r6x, into SIEM queries and detections.
Software supply chain hygiene
– Use private npm mirrors/registries, audit dependencies, and block installations from unvetted namespaces to reduce exposure to ecosystem abuse.
Beamglea underscores how effectively attackers can weaponize trusted developer infrastructure to sidestep conventional controls. Organizations should revisit policies governing access to public CDNs, perform a rapid log review for unpkg requests referencing redirect-* packages, update email and web filtering rules, and train staff to spot HTML lures impersonating procurement and technical documents. Proactive monitoring and tighter allowlists can materially reduce the blast radius of CDN‑based phishing and JavaScript supply chain abuse.
