Active Exploitation Alert: 148 Malicious npm Packages Masquerading as Student Proxies Turn Browsers Into DDoS Botnet

Active Exploitation Alert: 148 Malicious npm Packages Masquerading as Student Proxies Turn Browsers Into DDoS Botnet

Executive Summary

A sophisticated and highly opportunistic campaign has been uncovered involving 148 malicious npm packages masquerading as student proxy tools. These packages, distributed via the npm ecosystem, were designed to lure students seeking to bypass school web filters. Instead of providing legitimate proxy functionality, the packages covertly transformed users’ browsers into nodes of a distributed denial-of-service (DDoS) botnet. The campaign, which was active primarily in May and June 2026, demonstrates a significant evolution in supply chain threats: rather than targeting developers or CI/CD pipelines, the attackers weaponized the browsers of end-users, leveraging them for DDoS attacks and malvertising. This report provides a comprehensive technical analysis, threat actor profiling, exploitation details, victimology, and actionable mitigation guidance.

Threat Actor Profile

The operators behind this campaign remain unattributed to any known advanced persistent threat (APT) group and exhibit characteristics of a juvenile, opportunistic actor. The campaign’s infrastructure and codebase include references to Discord handles, the email domain geeked[.]wtf, and a GitHub organization named lucideproxy. The attackers utilized npm and GitHub as free infrastructure for payload delivery, and their code contains juvenile comments such as “TY WAVES + CHATGPT ILY.” The campaign’s monetization strategy included adware and popunder ads, suggesting a dual motive of financial gain and notoriety rather than sophisticated espionage or targeted disruption. The use of mutable remote loaders and rapid iteration of package versions further indicates a low operational security posture and a focus on maximizing short-term impact.

Technical Analysis of Malware/TTPs

The attack leveraged the npm ecosystem to distribute packages with names such as charlie-kirk, ilovefemboys, miguelphonk, changiairportpromax, and many others. These packages were not intended for import into legitimate projects but instead served as hosting for proxy web applications branded as “Lucide” and disguised as tutoring services (e.g., Riverbend Tutoring, Northstar Tutoring).

Upon visiting the proxy sites, users’ browsers would load a remote JavaScript payload via jsDelivr from a GitHub repository controlled by the attackers. Critically, the loader referenced the mutable main branch rather than a pinned commit and did not employ Subresource Integrity (SRI), allowing the attackers to swap payloads at will. The loader executed with full browser privileges, granting access to cookies, local storage, and same-origin endpoints, and used a no-referrer policy to obfuscate the origin of requests.

The malicious payloads included two primary DDoS modules:

The HTTP Flood module generated a 1-million-character string every 500 milliseconds and POSTed it (using the no-cors mode to avoid preflight throttling) to cdn.caan.edu, a legitimate nursing school in Illinois. Each browser could upload approximately 2MB per second, and with 1,000 tabs open, the aggregate bandwidth could reach 2GB per second. Randomized query parameters were used to defeat caching mechanisms.

The WebSocket Flood module fetched a configuration file (websocket.txt) specifying the target URL and the number of sockets (ranging from 1 to 1,024). The script then opened up to 1,024 WebSocket connections per browser to a Wisp endpoint on lunaron[.]top, sending valid Wisp CONNECT and CLOSE frames every 100 milliseconds. This technique targeted remote Wisp servers, causing exhaustion of file descriptors, log flooding, and proxy server crashes.

In addition to DDoS functionality, the packages included adware modules that injected popunder ads, third-party monetization scripts, and Google Analytics tracking. Notably, these monetization features persisted even after the DDoS code was removed in later package versions.

The campaign’s infrastructure included over 90 hostnames resolving to 92.38.177[.]17 (G-Core Labs), domains such as woofbeginner[.]com, c.vipersfutbol[.]com, and lunaron[.]top, and a GitHub organization (lucideproxy) used for payload delivery. Auto-publish scripts and rapid versioning were observed, indicating automated deployment and maintenance.

Exploitation in the Wild

The primary victims of this campaign were students attempting to circumvent school web filters using proxy tools. Upon accessing the malicious proxy sites, their browsers were conscripted into the botnet and used to launch DDoS attacks against cdn.caan.edu and Wisp proxy infrastructure. The campaign also targeted other student proxy services, effectively weaponizing the user base against competing infrastructure. Malvertising was pervasive, with injected ads and third-party scripts generating revenue for the attackers. The DDoS capability was “switched off” after initial reporting but remains latent and can be reactivated at any time due to the mutable loader architecture.

Victimology and Targeting

The campaign’s targeting was opportunistic, focusing on students in educational environments seeking to bypass content restrictions. The primary DDoS victim was cdn.caan.edu, a nursing school in Illinois, but the infrastructure also targeted Wisp proxy servers used by other student proxies. The attack did not discriminate by geography or institution, instead relying on the widespread demand for proxy services among students. The monetization strategy further broadened the victim pool, as any user accessing the proxy sites was exposed to adware and tracking scripts.

Mitigation and Countermeasures

Organizations should implement DNS-level blocking of campaign domains, including woofbeginner[.]com, c.vipersfutbol[.]com, and lunaron[.]top. Browser artifacts such as cache, local storage, and service workers associated with affected proxy or tutoring domains should be purged. Security teams must audit npm manifests and lockfiles for any of the 148 flagged packages and remove them, followed by a full rebuild of affected environments. Network monitoring should be configured to detect connections to the listed domains and IP addresses, as well as unusual WebSocket activity indicative of DDoS modules. End-user education is critical: students and staff should be warned against using untrusted proxy tools and instructed on the risks of browser-based malware. Finally, organizations should review npm usage policies and restrict the installation of unvetted packages, particularly those purporting to offer proxy or circumvention functionality.

References

The following sources provide additional technical details and up-to-date lists of affected packages:

The Hacker News: 148 npm Packages Disguised as Student Proxies Turned Browsers Into a DDoS Botnet

SafeDep Advisory on npm Proxy Adware

SafeDep Threat Intelligence Data Hub

JFrog Research (referenced in THN)

X.com/TheHackersNews

About Rescana

Rescana is a leader in third-party risk management, providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their digital supply chain. Our advanced TPRM platform empowers security teams to identify emerging threats, automate risk assessments, and ensure compliance with industry standards. For more information or to discuss how Rescana can help safeguard your organization, we are happy to answer questions at info@rescana.com.