148 Fake npm Packages Used in Student Proxy Attack


Researchers uncovered 148 malicious npm packages disguised as student proxy tools to hijack browsers for DDoS attacks.

Cybersecurity researchers have uncovered a large-scale software supply chain campaign involving 148 malicious npm packages that were disguised as student web proxy projects but were actually designed to recruit unsuspecting users into a browser-based botnet.

The findings, published in July 2026 by researchers at JFrog Security, reveal that the packages appeared to offer tools commonly used by schools and students to bypass internet restrictions. Behind the scenes, however, the code enabled attackers to generate large volumes of web traffic and potentially launch distributed denial-of-service (DDoS) attacks against third-party targets.

According to JFrog, the first wave of malicious packages was uploaded to the npm registry on May 27, 2026, using the account terminal3airport. A second wave followed on July 8, 2026, under another account named eerikakirk. Although many of the packages have since been removed, researchers said several remained available when the report was published.

The campaign masqueraded as legitimate student proxy software using names such as Riverbend Tutoring and other education-themed projects. Rather than delivering the advertised functionality, the packages contained hidden JavaScript capable of establishing WebSocket connections and generating high volumes of network traffic from visitors’ browsers.

Researchers said the malware relied on a mutable remote code execution mechanism, allowing attackers to change the payload after installation without publishing a new version of the package. That flexibility meant compromised systems could receive updated instructions long after developers had installed what appeared to be harmless software.

In addition to creating a distributed network of browsers capable of generating traffic on demand, the operation also sought to generate advertising revenue by opening aggressive pop-under advertisements for affected users. The combination of ad fraud and botnet functionality made the campaign unusual compared with more traditional credential-stealing npm attacks.

The discovery adds to a growing number of supply chain incidents targeting the JavaScript ecosystem during 2026. Security researchers have repeatedly warned that malicious actors are increasingly abusing trusted open-source repositories by publishing packages that appear legitimate but execute hidden code once installed.

JFrog recommends that developers carefully review third-party dependencies before installing them, verify package maintainers, and monitor applications for unexpected outbound network connections. Organizations are also encouraged to use software composition analysis tools and restrict the execution of untrusted install scripts to reduce exposure to similar attacks.

Related articles :


Reports are sourced from official documents, law-enforcement updates, and credible investigations.

Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.