Cybercriminals are using a clever new approach called "Beamglea" to phish credentials from industrial and electronics companies. Instead of injecting malicious code into NPM packages, they're abusing the legitimate unpkg.com CDN service to host phishing pages.
The attackers created 175 fake packages with names like "redirect-[random6chars]" that redirect victims to credential-stealing sites. They've targeted over 135 organizations including ArcelorMittal, D-Link, and ThyssenKrupp Nucera, generating 630+ HTML files disguised as purchase orders and technical documents.
Using automated Python tools, hackers customize attacks for each victim, pre-filling email addresses to make phishing pages appear legitimate. The campaign has accumulated 26,000 downloads, though many come from security researchers analyzing the threat.
Source: Security Week