New phishing campaign using npmjs.help

[Marsup]

Select Topic Area

General

Body

Hi,

I just received what I strongly believe to be a phishing email from [email protected].

The links are also leading to npmjs.help, the domain was registered 3 days ago.

Stay safe out there.

[coliff]

I received this email too. What can we do to help get the site taken down?

I reported the site at:

• https://safebrowsing.google.com/safebrowsing/report-url
• https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site

Anything else?

[Marsup]

I reported them to their DNS provider (porkbun), I can't find their hosting provider's abuse form (winity)

[shakee93]

Received this email as well!

[ebrandel]

Submitted it to https://safebrowsing.google.com/safebrowsing/report_phish/

No idea if multiple people reporting it helps this process, but at least once its flagged it'll show a warning page, in Chrome at least.

edit: sorry, my eyes somehow missed the fact that this was already suggested

[ebrandel]

Exfil is to hxxps://websocket-api2[.]publicvm[.]]com/images/jpg-to-png.php?name=[email protected]&pass=password123

[saquibkhan]

was there one more param passing the totp code?

[FeBe95]

This has already caused severe harm:
debug-js/debug#1005 (comment)

[jcary741]

As of 22025-09-08T20:22:07Z the domain "npmjs.help" appears to have been taken down.

[rengadevsecops]

To Identify any suspicious email or website, go to virustotal.com and paste the domain and email you received.

https://www.virustotal.com/

[Marsup]

Since then it has been marked as malware by most vendors because it's been reported, I doubt the analysis would have looked like that yesterday when no one was caught yet.

[FJRG2007]

https://dymo.tpeoficial.com/tools/[email protected]

https://dymo.tpeoficial.com/tools/data-lookup?target=websocket-api2.publicvm.com

[everett1992]

Has there been any communication from npm on this issue? We know qix's credentials were stolen and used to publish malware, and other maintainers (duckdb). So while phishing / credential loss is always a risk it seems this instance was outstandingly successful.

Is npm collecting a list of all packages / maintainers compromized?
Is npm reviewing 2fa resets in this time frame looking for other potential maintainers / packages?
Is npm scanning for package upload withe the same malware (while the attacker could sit on credentials or change their payload it appears the known instances all have the same string (_0x112fa8)

[stoicon]

Ideas to Improve NPM Account Security #173027

[takuyahara]

@Marsup I'm seriously curious why npm logo is shown next to "to marsup" because it looks like a valid brand-controlled logo via BIMI but if so it impairs DMARC protection's reliability; faking brand indicator is considered difficult as it requires strict steps like trademarking logo, if I understand correctly. There's a possibility that the logo was somehow generated by your mail client... which client do you use? Or you mocked image?

[Marsup]

I didn't mock anything, my client uses either BIMI or Gravatar, I'm going to guess it was the latter, hard to check the BIMI now the domain is disabled.

[takuyahara]

Thank you, may I ask which client do you use?