A targeted spear-phishing campaign was discovered using npm packages and jsDelivr's CDN as free phishing infrastructure. The attacker published five packages (flockiali, opresc, prndn, oprnm, operni) targeting specific employees at industrial and energy companies across Europe, the Middle East, and the US. Each package version contained a JavaScript phishing kit that replaced the webpage with a fake 'Micro-Share' file sharing interface, then redirected victims to a Microsoft login page harvesting credentials. The C2 infrastructure used a Siemens Energy typosquat domain, chosen because all targets operate in markets where Siemens Energy is a major player. The kits included sophisticated anti-bot measures including WebDriver detection, user-agent filtering, honeypot fields, and a mouse trajectory analyzer. SSL certificates for the C2 domain were registered three months before the campaign launched, indicating significant pre-planning. IOCs including package names, jsDelivr URLs, C2 domains, and payload hashes are provided.
Table of contents
What we foundThe attack flowAnti-bot tricksFive packages, five targets, two templatesThe infrastructure tells a storyWhy npm + jsDelivr?The timelineWhat should you do?Indicators of CompromiseSort: