Gone Phishin': npm Packages Serving Custom Credential Harvesting Pages

At 2026-01-20 18:03 UTC, our system started alerting us to a new npm package called flockiali. Within 26 minutes, the attacker published four versions. Two days later, they went on a publishing spree: opresc, prndn, oprnm, and operni. By the time we looked closer, we'd uncovered a highly targeted spear-phishing campaign hitting employees at industrial and energy companies across Europe, the Middle East, and the United States.

And the delivery mechanism? npm + jsDelivr. Because why host your own phishing infrastructure when you can freeload off someone else's CDN?

What we found

The packages contain a single JavaScript file that, when loaded, completely replaces the webpage with a phishing kit. But here's what makes this interesting: each version targets a specific person.

We found five targets across five companies:

• flockiali v1.2.5 targets someone at CQFD Composites, a French composites manufacturer
• flockiali v1.2.6 targets someone at Ingeteam, a Spanish wind turbine company
• opresc v1.0.0 targets someone at Emagine, a UAE EV charging company
• prndn and oprnm both target the same person at Amixon GmbH, a German industrial mixing company
• operni v1.2.7 targets someone at CMC America, a US baking equipment company

The attacker isn't spray-and-praying. They're publishing new packages for each target. And when one target is particularly interesting, they publish multiple packages with different delivery paths.

The attack flow

Here's what happens when a victim opens the phishing link.

The page loads showing a fake "Micro-Share" file sharing interface:

📁 Micro-Share
   secure file sharing
   Secure shared documents, kindly verify your email and continue.
   The following documents have been securely shared with [victim]@ingeteam.com

   📄 Specification.pdf
      - RFQ.pdf
      - Project descriptions.pdf
      - equipment's end destination.pdf

                    [ Download ]

The documents are engineering-themed: RFQs, project specifications, CAD files. Exactly what you'd expect someone at an industrial company to receive.

When the victim clicks "Download," the page transitions to a Microsoft-branded login screen:

⊞ Microsoft

Sign in

⚠ Authentication required. Click next to sign in and continue download.

┌────────────────────────────────────────┐
│ [victim]@ingeteam.com                  │  (read-only)
└────────────────────────────────────────┘

No account? Create one
Can't access your account?

                              [ Next ]

The victim's email is already filled in and marked read-only. When they click "Next," they get shipped off to the credential harvesting server:

window.location.href = "https://login.siemensergy[.]icu/DIVzTaSF";

Yep, siemensergy[.]icu. That's a typosquat of Siemens Energy. The attacker clearly did their homework on who their targets do business with.

Anti-bot tricks

The phishing kit isn't messing around. It includes several techniques to avoid automated analysis.

It checks for WebDriver (navigator.webdriver), empty plugin lists, and zero screen dimensions. It filters user-agents matching /bot|crawl|spider|headless|HeadlessChrome/i. It includes honeypot form fields that, if filled by bots, trigger the kill switch. And the download button stays disabled until the page detects mouse movement or touch events. No interaction, no phishing.

v1.2.5 goes further with a surprisingly sophisticated mouse trajectory analyzer:

isLegitimateTrajectory() {
  if (this.mouseTrail.length < 20) return false;
  const t = this.mouseTrail.slice(-10);
  const variance = t.reduce((acc, p) => 
    acc + Math.pow(p.x - t[0].x, 2), 0) / 10;
  return variance > 100;
}

This calculates the variance of the last 10 mouse positions. If your cursor moved in a suspiciously straight line (like a bot would), variance stays low and the button never enables. Real humans wiggle.

Someone put real effort into this phishing kit.

Five packages, five targets, two templates

The payload versions aren't just targeting different people. They use two different phishing kit designs.

The v1.2.5 payload (targeting CQFD Composites) uses a "MicroSecure Pro" brand with a purple gradient and Inter font. It shows CAD files and engineering deliverables as bait, has the sophisticated mouse trajectory analyzer, and sends credentials to oprsys.deno[.]dev.

The rest (v1.2.6, opresc, prndn, oprnm, operni) use a cleaner "Micro-Share" design with white backgrounds and Segoe UI. They show RFQs and project specs, use basic interaction checks, and send credentials to the Siemens Energy typosquats.

The v1.2.5 kit is flashier with animations and gradient backgrounds. The newer kits are more minimal, closer to what Microsoft actually looks like. Maybe the attacker A/B tested and found simpler converts better. Or maybe they're just iterating.

The CMC America payload (operni) has customized document lures for the food industry: "Product specifications and ingredient details", "Production capacity targets and operational parameters". The attacker is tailoring their bait.

What's interesting is the C2 choice. All the recent targets get sent to Siemens Energy typosquats. That's not random. Ingeteam makes wind turbines. Emagine does EV charging infrastructure. Amixon and CMC America make industrial mixing equipment (Amixon even works with battery materials). All operate in markets where Siemens Energy is a major player. The attacker researched their targets' business relationships.

Note the subtle evolution: siemensergy[.]icu (no hyphen) became siemens-energy[.]icu (with hyphen). The second variant is closer to the real siemens-energy[.]com domain. We confirmed via DNS that the no-hyphen domain has no records at all. The attacker abandoned it.

The infrastructure tells a story

Here's where it gets interesting. We used certificate transparency logs to look at when the C2 infrastructure was set up. The first SSL cert for *.siemens-energy[.]icu was issued on October 24, 2025. Then renewals on January 14, 16, and 17. The npm campaign started January 20.

The attacker registered the domain and got SSL certs three months before the npm packages appeared. Let that sink in. This isn't opportunistic. Someone planned this operation, set up infrastructure in October 2025, and then waited.

The C2 server (163.123.236[.]118) is hosted by RackGenius, a small hosting provider in Muskegon, Michigan. Meanwhile, the older v1.2.5 payload uses oprsys.deno[.]dev, which resolves to Google Cloud infrastructure (Deno Deploy). Free serverless hosting for phishing. Classic. We notified the Deno team about this campaign when we observed it, and they were very quick in taking it down. 

Why npm + jsDelivr?

The package.json tells the story:

{
  "keywords": ["jsdelivr", "cdn", "template"],
  "main": "resp/template.min.js"
}

jsDelivr automatically mirrors npm packages. Publish to npm, get instant CDN hosting at cdn.jsdelivr[.]net/npm/flockiali@1.2.6/resp/template.min.js. No servers to maintain, no hosting to pay for, and the victim sees a legitimate-looking CDN URL instead of a sketchy phishing domain.

The timeline

January 20th (four versions in 26 minutes):

• 18:03 UTC: flockiali v1.2.3 (empty placeholder)
• 18:10 UTC: flockiali v1.2.4 (metadata update)
• 18:15 UTC: flockiali v1.2.5 (CQFD Composites target)
• 18:29 UTC: flockiali v1.2.6 (Ingeteam target)

January 22nd (five more packages):

• 09:52 UTC: opresc v1.0.0 (Emagine target)
• 12:29 UTC: prndn v1.0.0 (Amixon target)
• 12:49 UTC: oprnm v1.0.0 (Amixon again)
• 13:11 UTC: operni v1.2.6 (broken, empty)
• 13:16 UTC: operni v1.2.7 (CMC America target)

The attacker has a list of targets and they're working through it. The Amixon employee got two packages 20 minutes apart (overkill, much?). The CMC America package had a typo (reps/ instead of resp/) and a broken first version. Oops. This attacker is moving fast and making mistakes.

What should you do?

If you're at one of the targeted companies, check if anyone received links to jsDelivr URLs or clicked anything related to "Micro-Share" document sharing.

Search email logs for links containing cdn.jsdelivr[.]net/npm/flockiali, cdn.jsdelivr[.]net/npm/opresc, cdn.jsdelivr[.]net/npm/prndn, cdn.jsdelivr[.]net/npm/oprnm, or cdn.jsdelivr[.]net/npm/operni. Block the IOC domains at your perimeter. If credentials were entered, rotate them immediately.

Indicators of Compromise

C2 domains:

• login.siemens-energy[.]icu (163.123.236[.]118, RackGenius)
• login.siemensergy[.]icu (abandoned, no DNS)
• oprsys.deno[.]dev (34.120.54[.]55, Deno Deploy)

Phishing URLs:

• https://login.siemensergy[.]icu/DIVzTaSF
• https://login.siemens-energy[.]icu/DIVzTaSF

jsDelivr URLs:

• hxxps://cdn.jsdelivr[.]net/npm/flockiali@1.2.6/resp/template.min.js
• hxxps://cdn.jsdelivr[.]net/npm/flockiali@1.2.5/resp/template.min.js
• hxxps://cdn.jsdelivr[.]net/npm/opresc@1.0.0/resp/template.min.js
• hxxps://cdn.jsdelivr[.]net/npm/prndn@1.0.0/template.min.js
• hxxps://cdn.jsdelivr[.]net/npm/oprnm@1.0.0/resp/template.min.js
• hxxps://cdn.jsdelivr[.]net/npm/operni@1.2.7/reps/template.min.js

Packages:

• flockiali (1.2.3-1.2.6)
• opresc (1.0.0)
• prndn (1.0.0)
• oprnm (1.0.0)
• operni (1.2.6-1.2.7)

Payload hashes (SHA256):

• 3ceb182fb32a8fb0f0fcf056d6ab8de1cf6e789053f1aadc98ba315ae9a96f0c – flockiali 1.2.6
• fdb6c79a8d01b528698c53ebd5030f875242e6af93f6ae799dee7f66b452bf3e – flockiali 1.2.5
• 4631584783d84758ae58bc717b08ac67d99dee30985db18b9d2b08df8721348e – opresc
• 211f88a55e8fe9254f75c358c42bb7e78e014b862de7ea6e8b80ed1f78d13add – prndn/oprnm
• 7d7f795ac1fcb5623731a50999f518877fd423a5a98219d0f495c488564a1554 – operni 1.2.7

‍