npm Packages Hijacked to Enlist Browsers in DDoS Attacks
Over 140 npm packages disguised as Wi-Fi bypass tools were found to secretly enlist visiting browsers into DDoS attacks, researchers reported.

A campaign involving over 140 npm packages, masquerading as tools to bypass school Wi-Fi restrictions, has been discovered to secretly enlist visiting browsers into distributed denial-of-service (DDoS) attacks. These packages, often branded with names like Lucide Proxy, Riverbend Tutoring, and Northstar Tutoring, presented themselves as harmless web proxies designed to help students access blocked websites and games.
Unlike typical malicious npm package incidents that target developers' systems during installation, this operation functioned as a delivery system for browser-based proxy pages. Anyone visiting a site hosted by these packages could be exposed to various malicious activities, including popunder advertising, user tracking, and, during a specific period, code designed to flood networks with traffic. Researchers from JFrog and SafeDep identified distinct phases of this activity, with SafeDep first documenting 141 related packages as adware-hosting abuse in May, followed by JFrog's later analysis uncovering remote code loading and DDoS functionalities that operated in late May.
JFrog's report highlighted how seemingly useful bypass sites can pose significant risks to educational institutions, workplaces, and general users. The operators leveraged npm's widespread availability to distribute static web assets. They then employed mutable external scripts to alter the functionality of the proxy pages after a visitor arrived. This approach allowed for dynamic changes to the malicious payload without needing to republish the npm packages themselves.
The campaign's first wave began on May 27, with a subsequent wave appearing on July 8, bringing the total number of identified packages to 148. While many packages were subsequently removed, some remained available at the time of the research publication. The visible service operated as advertised, routing browsing traffic through a proxy to circumvent content restrictions, which helped to conceal the malicious scripts running in the background.
JFrog's detailed analysis revealed an obfuscated JavaScript bundle that loaded two hidden modules before the proxy interface was presented to the user. One of these modules fetched a remotely hosted script from a mutable GitHub branch without any integrity checks. This mechanism provided the operators with the ability to update the code delivered to every visitor dynamically, bypassing the need for npm package re-releases.
A secondary payload, observed in an archived analysis, was capable of sending repeated large POST requests to a target education site at a rate of one request every half second. JFrog estimated that a single active browser could generate approximately 2 MB of upload traffic per second, and a thousand concurrent visitors could potentially generate around 2 GB per second, sufficient to overwhelm or significantly slow down a public-facing service.
In addition to the HTTP flood capabilities, another component fetched live WebSocket settings and instructed browsers to establish high-speed connections to a Wisp-compatible proxy endpoint. This could place considerable pressure on a server's socket capacity and logs by rapidly opening and closing connections. Although the remote loader and traffic generator components were later removed, the underlying capability for external script loading remained a concern for security professionals.
Security recommendations include blocking the identified infrastructure domains, particularly on school and corporate networks. Users who accessed affected sites are advised to clear their browser cookies, cached files, and service workers. Development teams should remove compromised packages from their projects, rebuild from clean sources, and verify the integrity of all dependencies. Endpoint alerts focusing solely on package installation may miss affected users, making browser telemetry and DNS records crucial for identifying exposure across networks.
This campaign, detailed by JFrog, reveals a more sophisticated attack vector than initially understood. While the earlier advisory focused on adware and registry abuse, JFrog's deeper analysis uncovered two distinct malicious modules: a remote script loader that fetches and executes code unsafely from a GitHub repository, and a module that establishes numerous WebSocket connections to launch a control-plane attack against Wisp proxy servers. This new information highlights the campaign's ability to dynamically alter its malicious payload and its specific targeting of other proxy infrastructure, in addition to its DDoS capabilities.