Continuous Phishing Operations targeting developers and NPM ecosystem

03 October 2025

By Samantha Clarke, Hiwot Mendahun and the Mimecast Threat Research Team

Campaign Overview

The Mimecast Threat Research team has been actively monitoring a multi-stage attack campaign targeting the npm ecosystem since July 2025. Our research reveals a progression from credential harvesting phishing attacks to the "Shai-Hulud" supply chain compromise that occurred on September 14, 2025. Through continuous threat monitoring, we identified two major phishing campaigns that directly preceded large scale npm package compromises.

Mimecast-Tracked Campaign Timeline

July 2025 - Account Maintenance Campaign The first identified npm-targeted phishing activity took place in July 2025, utilizing "account maintenance" social engineering lures. These campaigns directed developers to typosquatted domains that mimicked npm's legitimate infrastructure, targeting package maintainers with urgent account maintenance notifications.

• Lure Used: Account maintenance and verification requirements
• Delivery Method: Phishing emails impersonating official npm communications
• Objective: Credential harvesting targeting high-value maintainer accounts
• Infrastructure: Typosquatted domains including npnjs.com
  

Security Update Campaign An escalation was observed an in early September with a more sophisticated campaign leveraging "2FA security update" lures. This campaign demonstrated advanced evasion techniques and targeted messaging specifically designed to exploit security-conscious developers.

• Lure Used: Mandatory 2FA updates and security compliance requirements
• Delivery Method: Phishing emails impersonating official npm communications
• Objective: Large-scale credential harvesting preceding supply chain deployment
  
  

September 14, 2025 - Shai-Hulud Deployment The culmination of these credential harvesting operations resulted in the deployment of the "Shai-Hulud" self-replicating worm. Using accounts compromised in previous phishing campaigns, threat actors deployed autonomous malware that propagated throughout the npm ecosystem without further human intervention.

• Attack Vector: Compromised maintainer accounts from previous phishing campaigns
• Payload: Self-replicating worm utilizing malicious post-install scripts (bundle.js)
• Scope: Initially 18 targeted packages, expanding to 180+ through autonomous replication
• Capabilities: Multi-vector credential theft (npm tokens, GitHub credentials, cloud platform secrets)

Mimecast Protection

Mimecast's advanced threat detection capabilities have successfully identified and blocked these campaigns through multiple protection layers.

Targets

Region and Vertical: Global targeting with concentrated effects on technology organizations heavily dependent on npm packages, including fintech, healthcare technology, and enterprise software development companies.

Primary targeting focuses on software development professionals across multiple platforms, with npm maintainers representing high-value targets due to supply chain access. Secondary targeting includes DevOps engineers, security professionals, and enterprise development teams managing critical infrastructure dependencies.

Indicators of Compromise (IOCs)

NPM-Specific Infrastructure

• npnjs.com (primary typosquatted domain)
• npm-security.com (secondary phishing infrastructure)
• npmjs.help (credential harvesting page)
• npmjs-security.org (credential harvesting page)

Recommendations

Immediate Actions:

• Educate users on threats across npm, OAuth, SaaS platforms, and development infrastructure, including specific tactics like account maintenance, security updates, and platform impersonation
• Establish protocols for independently verifying critical communications across all development platforms

Threat Hunting:

• Search email receipt logs and URL logs for technical indicators associated with these campaigns