Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
SOC Efficiency: Cut Alert Overload and MTTR by 21 Minutes Per Case
July 14, 2026
Miasma Malware Creates Backdoors in npm Packages, Targets Dev Machines
July 14, 2026
Critical UEFI Shim Flaw Lets Attackers Bypass Secure Boot
July 14, 2026
Home/CyberSecurity News/Over 150 Malicious npm Packages Enable DDoS Attacks on Students
CyberSecurity News

Over 150 Malicious npm Packages Enable DDoS Attacks on Students

Key Takeaways A campaign involving nearly 150 malicious npm packages masqueraded as school Wi-Fi bypass tools. These packages were not designed to infect developer systems but rather to serve...

Jennifer sherman
Jennifer sherman
July 14, 2026 4 Min Read
3 0

Key Takeaways

  • A campaign involving nearly 150 malicious npm packages masqueraded as school Wi-Fi bypass tools.
  • These packages were not designed to infect developer systems but rather to serve malicious browser-based proxy pages.
  • Visitors to these proxy pages were exposed to pop-under ads, tracking, and, critically, code that transformed their browsers into participants in DDoS attacks.
  • The operators leveraged npm for static asset distribution, dynamically altering malicious functionality via remote scripts, making detection and takedown challenging.
  • The DDoS functionality, active in late May, specifically targeted an educational website, generating significant traffic.

A sophisticated campaign has been uncovered where approximately 150 npm packages, disguised as legitimate Wi-Fi bypass tools for students, were weaponized to transform unsuspecting browsers into nodes for distributed denial-of-service (DDoS) attacks. This deceptive operation presented itself as benign web proxies, offering students a way to access restricted websites and games, while covertly injecting malicious code in the background.

Table Of Content

  • Key Takeaways
  • Deceptive Tactics and Malicious Functionality
  • Hidden Loaders Enabled DDoS Traffic
  • What You Should Do

Unlike conventional malicious npm packages that typically compromise a developer’s system during installation, this operation primarily functioned as a delivery mechanism for browser-based proxy pages. Users who accessed these hosted sites were unwittingly subjected to various illicit activities, including pop-under advertising, extensive tracking, and, during a specific period, code designed to flood target networks with traffic. Researchers from JFrog and SafeDep collaboratively identified and analyzed the different phases of this campaign.

SafeDep initially documented 141 of these packages in May, categorizing them as adware-hosting abuse. Subsequently, JFrog successfully deobfuscated the application, revealing its remote code loading and DDoS capabilities, which were actively deployed in late May. JFrog said in a report that these findings underscore the significant risks that seemingly innocuous bypass sites can pose to educational institutions, corporate environments, and individual users.

The attackers exploited npm’s widespread accessibility for distributing static web assets. They then dynamically changed the proxy’s behavior after a visitor landed on the page by using external scripts. This method allowed them to modify the malicious payload without updating the npm packages themselves, enhancing their operational flexibility and evasion tactics.

Deceptive Tactics and Malicious Functionality

The campaign utilized branding and web pages associated with names like Lucide Proxy, Riverbend Tutoring, and Northstar Tutoring. The front-facing service performed its advertised function, routing browser traffic through a proxy to circumvent content restrictions. This seemingly legitimate behavior was crucial in camouflaging the malicious scripts operating concurrently.

JFrog reported that the initial wave of malicious packages emerged on May 27, followed by a second wave on July 8, bringing the total to 148 packages. While many of these packages have since been removed, some remained accessible at the time the research was published.

The earlier analysis by SafeDep indicated that the packages lacked traditional installation hooks or credential-stealing components. Instead, they contained web files designed to be served from npm-backed infrastructure. A service worker was employed to route proxy traffic and inject code capable of capturing navigation events. Concurrently, advertising scripts triggered pop-under pages following user interactions.

This distinct approach meant that the primary victims were not developers integrating these packages into their projects. Instead, any student simply visiting a deployed proxy page could unknowingly contribute their browser’s resources to the malicious activities. This strategy also complicated takedown efforts, as the same core files could be replicated across numerous package names and hosting locations, making it difficult to eradicate the threat entirely.

Hidden Loaders Enabled DDoS Traffic

JFrog’s in-depth analysis revealed an obfuscated JavaScript bundle that executed two hidden modules before the legitimate proxy interface became visible. One module retrieved a remotely hosted script from a mutable GitHub branch, critically lacking any integrity checks. This allowed the attackers to modify the code delivered to every visitor dynamically, circumventing the need to republish the npm package for each change.

An archived second-stage payload was designed to transmit repeated, large POST requests to a targeted educational website every half-second. JFrog’s estimations suggest that a single active browser could generate approximately 2 MB of upload traffic per second. With a thousand concurrent visitors, this could escalate to roughly 2 GB of traffic per second, a volume sufficient to significantly degrade or overwhelm a public-facing service.

Another component dynamically fetched live WebSocket settings, instructing browsers to establish high-speed connections to a Wisp-compatible proxy endpoint. This functionality enabled the rapid creation and termination of WebSocket connections, effectively stressing a server’s socket capacity and logging systems. While the remote loader and traffic generator components were eventually removed, the persistent threat of external script loading remains a concern.

What You Should Do

  • For Network Administrators: Block all listed infrastructure domains (e.g., whatsadmaidk, changiairportpromax, testdonotredeem, 21baseballacademy.com, lucideon.top, cdn.conditionfuneral.com, wisp.breadarchive.dpdns.org, realizationnewestfangs.com, protrafficinspector.com, preferencenail.com, skinnycrawlinglax.com) and IP addresses (e.g., 92.38.177.17, 92.38.177.101, 53.75.225.178, 5.188.124.67, 92.38.177.169, 92.38.177.37) on all network perimeters, especially within school and corporate environments where proxy usage might be prevalent.
  • For End-Users: If you have visited any tutoring-themed proxy pages, immediately clear your browser’s cookies, cached files, and service workers to remove any lingering malicious scripts or tracking elements.
  • For Development Teams: Review project manifests and lockfiles to identify and remove any matching packages. Rebuild applications from clean sources and verify that both direct and indirect dependencies are free from these malicious components.
  • For Security Operations Centers (SOCs): Enhance monitoring of web filtering logs for any visits to the identified tutoring-themed proxy pages. Investigate any unusual browser upload activity, as the malicious code was delivered post-page load, meaning endpoint alerts focused solely on package installation might not detect affected users. Prioritize browser telemetry and DNS records for comprehensive exposure assessment across campus or enterprise networks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Microsoft Entra ID Defaults to Passkeys, Replacing Passwords

Next Post

SAP Patches Critical NetWeaver Memory Corruption Flaw CVE-2026-XXXXX

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical VMware Avi Load Balancer Flaws Let Attackers Bypass Authentication
July 14, 2026
Pro-Iran Hacktivists Launch Telegram-Coordinated DDoS and Hack-and-Leak Attacks
July 14, 2026
Qilin Ransomware Abuses Active Directory Replication with DCSync Attacks
July 14, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us