148 Malicious npm Packages Convert Browsers into DDoS Botnet

148 Malicious npm Packages Convert Browsers into DDoS Botnet

First seen 14 Jul 2026, 14:06 UTC ThehackernewsCybersecuritynewsRescanaTechnadusafedep.io+1 84% similarity 69.0

Article Content

Browse articles
ThreatCluster

A campaign involving 148 malicious npm packages, branded as student proxy tools, has been uncovered. These packages were designed to lure students into bypassing school web filters but instead turned their browsers into nodes of a DDoS botnet. The attack was active primarily in May and June 2026 and exploited the npm ecosystem to deliver malicious payloads. The packages masqueraded as tutoring services, loading harmful code that executed remote JavaScript payloads with full browser privileges. The attackers used mutable remote loaders without Subresource Integrity (SRI), allowing them to change payloads at will. The DDoS modules included an HTTP Flood module that targeted a legitimate nursing school, generating significant traffic. The campaign's infrastructure was traced back to a GitHub organization named lucideproxy, and the operators have since removed the DDoS functionality from the packages. This incident highlights a shift in supply chain threats, focusing on end-user exploitation rather than traditional developer targets.

Key Points: • 148 npm packages disguised as student proxies turned browsers into DDoS bots. • Attackers exploited npm and GitHub for payload delivery, using mutable remote scripts. • The campaign generated significant traffic to a legitimate nursing school, demonstrating a new threat vector.

ThreatCluster AI

Timeline

2026-05-27
First wave of malicious packages uploaded
The initial batch of 148 npm packages was uploaded by the account iterminal3airporti, targeting students.
Technadu
2026-07-08
Second wave of packages uploaded
A second wave of malicious packages was uploaded by the account ieerikakirki, continuing the campaign.
Technadu
2026-07-13
Security report published
JFrog published a report detailing the malicious npm packages and their exploitation methods.
Technadu
2026-07-14
Public awareness raised
Multiple cybersecurity outlets reported on the campaign, increasing awareness of the threat.
Rescana

Community

Browse all →