150+ npm Packages Promises Wi-Fi Bypass Students Using Their Systems for DDoS Attack

In Cybersecurity News - Original News Source is cybersecuritynews.com by Blog Writer

Spread the love

Nearly 150 npm packages posing as school Wi-Fi bypass tools were used to turn visiting browsers into potential DDoS engines.

The campaign presented itself as harmless tutoring-branded web proxies, giving students a way to reach blocked websites and games while quietly loading harmful code in the background.

Unlike a typical malicious npm package, this operation did not need to infect a developer’s computer during installation. The packages acted as a delivery system for browser-based proxy pages.

Anyone who opened one of the hosted sites could be exposed to popunder advertising, tracking, and, during a key period, traffic-flooding code.

The Lucide Proxy website (SOurce – JFrog)

SafeDep first documented 141 related packages as adware-hosting abuse in May, while JFrog later deobfuscated the application and uncovered remote code loading and DDoS functions that had operated in late May.

JFrog said in a report shared with Cyber Security News (CSN) that the findings show how a seemingly useful bypass site can create risk for schools, workplaces, and ordinary users.

The operators relied on npm’s broad availability to distribute static web assets, then used changing external scripts to alter what the proxy did after a visitor arrived.

150+ npm Packages Promises Wi-Fi Bypass Students

The campaign used names and pages tied to Lucide Proxy, Riverbend Tutoring, and Northstar Tutoring.

The visible service worked as advertised: it routed browsing through a proxy designed to bypass content restrictions. That normal behavior made it easier to hide the scripts running alongside it.

JFrog said the first wave began on May 27 and a later wave appeared on July 8, bringing the total to 148 packages.

Besides this, many packages were removed, but some remained available when the research was published.

Websocket module before deobfuscation (Source – JFrog)

The earlier SafeDep analysis found no installation hooks or credential-stealing component. Instead, the packages contained web files that could be served from npm-backed infrastructure.

A service worker routed proxy traffic and injected code that could capture navigation events, while advertising scripts opened popunder pages after user interaction.

That distinction matters because the main victims were not necessarily developers who added a dependency to a project. A student who simply visited a deployed proxy page could unknowingly contribute browser resources.

The approach also made takedowns harder, as the same basic files could be copied across many package names and hosting locations.

JFrog’s analysis found an obfuscated JavaScript bundle that loaded two hidden modules before the proxy interface appeared.

One pulled a remotely hosted script from a mutable GitHub branch without an integrity check. This gave the operators a way to change code delivered to every visitor without republishing the npm package.

Lunar v2 proxy (Source – JFrog)

An archived second-stage payload sent repeated large POST requests to a target education site every half second.

JFrog estimated that one active browser could generate about 2 MB of upload traffic per second, and a thousand visitors could produce roughly 2 GB per second. Such traffic can slow or overwhelm a public-facing service.

A separate component fetched live WebSocket settings and instructed browsers to open connections to a Wisp-compatible proxy endpoint. It could create and close connections at high speed, placing pressure on a server’s socket capacity and logs.

The remote loader and traffic generator were later removed, but external script loading remained a concern.

Administrators should block the listed infrastructure domains, especially on school and corporate networks where proxy use is common. Users who accessed affected sites should clear browser cookies, cached files, and service workers.

Development teams should remove matching packages from manifests and lockfiles, rebuild from clean sources, and verify that direct and indirect dependencies are gone.

Security teams should also review web filtering logs for visits to tutoring-themed proxy pages and investigate unusual browser upload activity.

Since the harmful code was delivered after a page loaded, endpoint alerts focused only on package installation may miss affected users. Browser telemetry and DNS records are therefore important for scoping exposure across campus networks today.

Indicators of compromise (IoCs):-

Type Indicator Description
Domain whatsadmaidk Campaign-related package or hosting identifier listed in the research. 
Domain changiairportpromax Campaign-related package or hosting identifier listed in the research. 
Domain testdonotredeem Campaign-related package or hosting identifier listed in the research. 
URL https://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn/main/cdn.js Mutable remote JavaScript loader URL. 
URL https://cdn.jsdelivr.net/gh/canyoupleasesaysomething/cdn/main/websocket.txt Remote WebSocket configuration URL. 
URL https://cdn.caan.edu/?v= Archived HTTP flood payload target. 
URL https://woofbeginner.com/jivd2xu8 External script resource associated with the campaign. 
URL https://woofbeginner.com/0a91350a913561831bdf2c26dcf18b852b5cc1.js External script resource associated with the campaign. 
Domain wisp.breadarchive.dpdns.org Wisp-related infrastructure domain. 
Domain 21baseballacademy.com Campaign infrastructure domain. 
Domain lucideon.top Campaign infrastructure domain. 
URL https://c.vipersfutbol.com/script.js External script resource associated with the campaign. 
URL https://realizationnewestfangs.com Campaign infrastructure URL. 
URL https://protrafficinspector.com/stats Campaign tracking infrastructure URL. 
URL https://preferencenail.com/sfp.js External script resource associated with the campaign. 
URL https://skinnycrawlinglax.com/dnn2hkn8 Campaign infrastructure URL. 
Domain cdn.conditionfuneral.com Campaign infrastructure domain. 
IP address 92.38.177.17 Hosting infrastructure IP address. 
IP address 92.38.177.101 Hosting infrastructure IP address. 
IP address 53.75.225.178 Hosting infrastructure IP address. 
IP address 5.188.124.67 Hosting infrastructure IP address. 
IP address 92.38.177.169 Hosting infrastructure IP address. 
IP address 92.38.177.37 Hosting infrastructure IP address. 
File name assets73sxysj46r.js Obfuscated JavaScript bundle examined in the campaign. 
File name assets/script.js JavaScript payload artifact listed by JFrog. 
SHA-256 eb4e1394d537d8eba509dd5c57e7aaf4c1df57715c7161330012a11f6202af84 Hash associated with assets73sxysj46r.js
SHA-256 10ddbbae0070267b8d15888b09a3cdb19fa74d861315b71f21c9ace8b9f85c75 Hash associated with assets/script.js
SHA-256 4b188d179e50e8208a6efec85e273e88d8fc390c836f299ba12915e0840408fd Hash of the archived HTTP flood payload. 

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Prevent critical incidents and financial loss with stronger proactive defense. Integrate a live threat feed from 15K SOC Teams.