Researchers uncover 148 malicious software packages pretending to be student proxies, hijacking user browsers for cyberattacks.
Security researchers recently discovered one of the sneakiest digital tricks in recent memory: scammers distributed nearly 150 pieces of malicious software disguised as legitimate tools for students. These fake programs didn't steal passwords or demand ransom money. Instead, they quietly transformed victims' computers into unwilling soldiers in a larger cyberattack operation.
The attack unfolded silently across May, with the malware staying active for approximately two weeks. During that time, researchers believe thousands of people unknowingly downloaded these poisoned packages from npm, a popular marketplace where developers share code. The attackers were particularly clever—they posed as student-friendly web proxies, tools that students commonly use to access restricted websites or improve internet privacy.
Once installed, the malware didn't target the programmers building applications. Instead, it hijacked the computers of everyday users who visited websites running the infected code. Their browsers became mini-weapons in what's called a distributed denial-of-service attack—basically, a coordinated strike that floods a target with so much traffic that the website crashes.
This attack represents a particularly troubling evolution in how criminals operate. Rather than seeking direct profit through theft, the perpetrators created an invisible network of compromised devices. Think of it like someone secretly recruiting an army of people to help them push down a building—except the "people" are computers, and the "building" is a website or online service.
Security researchers from JFrog connected this campaign to ShinyHunters, a known hacking group with a history of sophisticated Salesforce-related attacks. This link suggests the operation may have been part of a larger, coordinated strategy rather than a random opportunistic effort.
The fact that 148 separate packages made it past npm's defenses shows how difficult it is to police these software marketplaces. Legitimate developers rely on code libraries shared by others—it's an essential part of modern software development. But it also creates opportunities for criminals to inject poison into the supply chain.
If you're a developer, download packages only from trusted sources and verify package authenticity when possible. Keep your development tools updated and read reviews before adopting new libraries.
For everyone else: run reputable antivirus software, keep your browser updated, and be cautious about which browser extensions or tools you install. Monitor your internet speed—unexplained slowdowns can signal unwanted activity.
This incident reminds us that cybersecurity threats don't always announce themselves loudly; sometimes they work quietly in the background, which makes awareness and caution your strongest defenses.
Want to understand the technology behind this story? ITVedas has beginner-friendly guides on every IT topic.
Explore IT Chapters →