Malicious npm Packages Disguised as School Wi-Fi Bypass Tools Hijack Browsers for DDoS Attacks
Researchers from JFrog and SafeDep uncovered a campaign involving nearly 150 malicious npm packages masquerading as legitimate school Wi-Fi bypass tools. The packages, branded under names like Lucide Proxy, Riverbend Tutoring, and Northstar Tutoring, promised students access to blocked websites and games while covertly loading harmful code in the background.
Unlike traditional npm-based attacks that infect developers during installation, these packages functioned as delivery mechanisms for browser-based proxy pages. Visitors to the hosted sites were exposed to popunder ads, tracking scripts, and during a key period in late May traffic-flooding code designed to turn browsers into unwitting participants in DDoS attacks.
The campaign operated in waves, with the first detected on May 27 and a second on July 8, bringing the total to 148 packages. While many were removed, some remained available at the time of disclosure. The attack leveraged npm’s infrastructure to distribute static web assets, then dynamically altered functionality via external scripts after visitors loaded the pages.
How the Attack Worked
The proxy services appeared to work as advertised, routing traffic to bypass restrictions while silently executing additional code. A service worker intercepted navigation events and injected scripts that:
- Generated popunder ads after user interaction.
- Loaded remote JavaScript from a mutable GitHub branch, allowing operators to update malicious payloads without republishing npm packages.
- Flooded targets with traffic, including repeated large POST requests to an education-related site, capable of generating ~2 MB of upload traffic per second per browser. A thousand active users could produce ~2 GB/s, enough to disrupt services.
- Abused WebSocket connections, rapidly opening and closing links to strain server resources.
The remote loader and DDoS components were later removed, but the ability to fetch live scripts from external sources remained a persistent risk.
Impact and Detection Challenges
The campaign’s design made it difficult to detect and mitigate:
- Victims weren’t limited to developers anyone visiting the proxy pages, including students, could unknowingly contribute browser resources.
- Takedowns were hindered by the use of multiple package names and hosting locations.
- Endpoint security tools focused on package installation might miss infections, as the malicious code executed post-page load.
Security teams are advised to block the identified infrastructure domains, review web filtering logs for visits to tutoring-themed proxy pages, and monitor for unusual browser upload activity. Indicators of compromise (IoCs) include domains like whatsadmaidk[.]com, changiairportpromax[.]com, and IP addresses such as 92.38.177.17 and 53.75.225.178, along with specific file hashes and URLs tied to the campaign.
Source: https://cybersecuritynews.com/150-npm-packages-promises-wi-fi-bypass-students/
Northstar Tutoring cybersecurity rating report: https://www.rankiteo.com/company/northstar-tutoring
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
"id": "NORNPM1784025857",
"linkid": "northstar-tutoring, npm-inc-",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'industry': 'Education',
'name': 'Students and visitors to proxy pages',
'type': 'Individuals'},
{'industry': 'Education',
'name': 'Targeted web services (education-related '
'site)',
'type': 'Organization'}],
'attack_vector': 'Malicious npm packages, Browser-based proxy pages, Remote '
'JavaScript injection',
'date_detected': '2024-05-27',
'description': 'Researchers from JFrog and SafeDep uncovered a campaign '
'involving nearly 150 malicious npm packages masquerading as '
'legitimate school Wi-Fi bypass tools. The packages, branded '
'under names like Lucide Proxy, Riverbend Tutoring, and '
'Northstar Tutoring, promised students access to blocked '
'websites and games while covertly loading harmful code in the '
'background. The campaign operated in waves, with the first '
'detected on May 27 and a second on July 8, bringing the total '
'to 148 packages. The attack leveraged npm’s infrastructure to '
'distribute static web assets, then dynamically altered '
'functionality via external scripts after visitors loaded the '
'pages.',
'impact': {'brand_reputation_impact': 'Potential reputational damage to '
'affected entities due to association '
'with malicious activity',
'operational_impact': 'Potential disruption of targeted services '
'due to DDoS attacks',
'systems_affected': 'Browsers of visitors to proxy pages, Web '
'servers targeted by DDoS'},
'initial_access_broker': {'backdoors_established': 'Remote JavaScript '
'injection via mutable '
'GitHub branch',
'entry_point': 'Malicious npm packages',
'high_value_targets': 'Education-related web '
'services'},
'investigation_status': 'Ongoing',
'lessons_learned': "The campaign's design made it difficult to detect and "
"mitigate, as victims weren't limited to developers and "
'the malicious code executed post-page load. Takedowns '
'were hindered by the use of multiple package names and '
'hosting locations.',
'motivation': 'Financial gain (ad revenue), Disruption (DDoS attacks)',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring of npm '
'packages, improved '
'detection of browser-based '
'malicious activity, '
'blocking of identified '
'malicious domains',
'root_causes': "Abuse of npm's package "
'distribution system, dynamic '
'script loading from external '
'sources, lack of detection for '
'post-page load malicious activity'},
'recommendations': 'Block identified infrastructure domains, review web '
'filtering logs for visits to tutoring-themed proxy pages, '
'and monitor for unusual browser upload activity.',
'references': [{'source': 'JFrog and SafeDep Research'}],
'response': {'containment_measures': 'Blocking identified infrastructure '
'domains, reviewing web filtering logs',
'enhanced_monitoring': 'Monitoring for unusual browser upload '
'activity',
'remediation_measures': 'Removal of malicious npm packages, '
'monitoring for unusual browser upload '
'activity',
'third_party_assistance': 'JFrog, SafeDep'},
'title': 'Malicious npm Packages Disguised as School Wi-Fi Bypass Tools '
'Hijack Browsers for DDoS Attacks',
'type': 'Supply Chain Attack, DDoS Attack',
'vulnerability_exploited': 'npm package distribution, Dynamic script loading '
'from external sources'}