Rescana
148 Malicious npm Packages Convert Browsers into DDoS Botnet
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A campaign involving 148 malicious npm packages, branded as student proxy tools, has been uncovered. These packages were designed to lure students into bypassing school web filters but instead turned their browsers into nodes of a DDoS botnet. The attack was active primarily in May and June 2026 and exploited the npm ecosystem to deliver malicious payloads. The packages masqueraded as tutoring services, loading harmful code that executed remote JavaScript payloads with full browser privileges. The attackers used mutable remote loaders without Subresource Integrity (SRI), allowing them to change payloads at will. The DDoS modules included an HTTP Flood module that targeted a legitimate nursing school, generating significant traffic. The campaign's infrastructure was traced back to a GitHub organization named lucideproxy, and the operators have since removed the DDoS functionality from the packages. This incident highlights a shift in supply chain threats, focusing on end-user exploitation rather than traditional developer targets.
Key Points: • 148 npm packages disguised as student proxies turned browsers into DDoS bots. • Attackers exploited npm and GitHub for payload delivery, using mutable remote scripts. • The campaign generated significant traffic to a legitimate nursing school, demonstrating a new threat vector.