148 npm packages: student proxies turn browsers into DDoS botnet

148 malicious npm packages disguised as student proxies that turned browsers into DDoS botnets for two weeks have been discovered. Find out!

14 jul 2026 • 5 min read • Q2BSTUDIO Team

JFrog Investigation Discovers DDoS Botnet in npm

In the vast ecosystem of modern software development, the trust placed in public package registries such as npm has become a fundamental pillar. However, that same trust can be exploited in unexpected ways. A recent security finding revealed that 148 npm packets, ostensibly designed as web proxies for students seeking to circumvent network restrictions, hid a much more sinister intent: to turn their victims' browsers into nodes of a botnet used for distributed denial-of-service (DDoS) attacks. This campaign, active for about two weeks in May, did not target developers who could install the packages, but instead leveraged the registration itself as free hosting for a malicious proxy site. Students who accessed it unknowingly gave up control of their browser to become part of a digital army.

This incident highlights a growing vulnerability in the software supply chain: packet logs can be used not only to distribute malicious code that affects developers, but also as launchpads for attacks that victimize end users. The engineering behind these 148 packages was simple but effective. Disguised as legitimate educational tools, they were able to attract a target audience—students who needed to hide their traffic—while keeping a low profile within the repository. The operation did not require developers to execute suspicious code; It was enough for a user to visit the NPM-hosted proxy site for their browser to start executing attack scripts.

From a technical perspective, these types of attacks exploit browser capabilities such as WebSocket or XMLHttpRequest to send bulk requests to specific targets. The browser thus becomes an unwitting soldier within a decentralized botnet, difficult to track because each node uses the user's real IP address. For businesses, the lesson is clear: security can no longer be limited to the network perimeter or internal servers. The attack surface has spread to any device with an internet connection, including employee or customer browsers.

In this context, cybersecurity becomes a critical enabler for business continuity. It's not enough to implement traditional firewalls or antivirus; Proactive strategies need to be adopted that include software supply chain monitoring, dependency analysis, and user education. From our specialized cybersecurity and pentesting services, we help organizations identify and mitigate these risks, evaluating both their infrastructures and the software components they consume.

The case of the 148 packages also illustrates how the attackers' creativity adapts to user behaviors. By targeting students looking for proxies, they achieved a steady stream of real human traffic, making automatic detection difficult. Traditional security solutions based on signatures or blacklists fail against this type of threat because the malicious code is not in the package itself, but in the service it provides. This is where advanced techniques such as behavioral analysis and the use of artificial intelligence to detect anomalous patterns in network traffic or browser interactions come into play.

AI for business offers powerful tools for anticipating and responding to security incidents. AI agents can continuously monitor access logs, identify unusual traffic spikes, or recognize scripts that attempt to connect to unknown domains. These capabilities, combined with AWS and Azure cloud service platforms, enable you to scale surveillance efficiently and cost-effectively. At Q2BSTUDIO, we integrate these technologies into tailored software solutions that are tailored to each customer's specific needs, whether it's to strengthen their security posture or to optimize their operational processes.

Beyond the specific case, this vulnerability opens a debate about the responsibility of package records. NPM, like other package managers, has implemented measures such as two-factor verification and manual review of suspicious packages, but the scale of the ecosystem makes a full inspection impossible. The developer community should take an active role in dependency validation, preferring packages with active maintenance, lots of downloads, and open-source patches. Likewise, companies that develop custom applications must include security as a requirement from the design phase, not as a subsequent addition.

Another relevant aspect is the use of obfuscation and multiple packaging techniques. Attackers often publish seemingly innocuous versions of a package, and only after gaining traction do they release a malicious version. This behavior is known as 'typosquatting' or 'dependency confusion'. To counter this, organizations can implement private repositories and strict dependency approval policies. In this sense, business intelligence services such as those we offer with power bi allow you to visualize the risk associated with each dependency, cross-referencing data on known vulnerabilities with the corporate software inventory.

The student proxies incident also reminds us that attackers don't discriminate by company size. A small startup can be just as vulnerable as a multinational if its employees use external services without control. Cybersecurity training for all levels of the organization is essential, as well as the implementation of endpoint security solutions that block unauthorized scripts in browsers.

At Q2BSTUDIO, we understand that technology is a business enabler, but also a risk vector. That is why we offer comprehensive services ranging from custom software development to the implementation of secure cloud infrastructures. Our cloud services on AWS and Azure are designed to ensure data elasticity, availability, and security, applying best practices in architecture and continuous monitoring.

In conclusion, the 148 npm packet campaign is a reminder that technological innovation is not without its dangers. The same ease of sharing and reusing code that drives productivity can be exploited to create global threats. The answer is not to abandon open ecosystems, but to adopt a multi-layered security approach that combines technology, processes, and people. Artificial intelligence, data analytics, and automation are critical allies in detecting and neutralizing these threats before they impact end users. In a world where every click can turn your browser into a weapon, vigilance and grooming are more important than ever.

A BREAK?

Play for a moment before you go

OUR SERVICES

How we can help you

Artificial intelligence

AI agents, chatbots, and intelligent assistants that automate tasks and serve your customers 24/7 to improve the efficiency of your business.

More info

Software Development

Web, mobile, and desktop applications, intranets, e-commerce, SaaS, and management platforms designed for your company's specific needs.

More info

Cloud services

Migration, infrastructure, managed hosting, high availability, and security on Microsoft Azure and Amazon Web Services to help your business scale without limits.

More info

Cybersecurity and pentesting

Security audits, penetration testing and protection of applications, data and infrastructure on-premise and cloud, with ethical hacking and regulatory compliance.

More info

Business Intelligence

Dashboards and data analysis with Power BI: we integrate your sources, design dashboards and KPIs and turn your data into decisions.

More info

Process automation

We automate repetitive tasks and connect your applications with n8n, Power Automate, Make, and RPA, eliminating manual work and increasing productivity.

More info

Training for Companies

We train your teams in technology with criteria: web development, databases, Git, best practices and security, automation with n8n, artificial intelligence for companies and creation of AI solutions with Azure AI Foundry.

More info

Code Auditing

We audit the code that you, your team or an AI create: we tell you what is good and what to improve, we secure it and make it ready for production, web or app.

More info

AI Image Generation

We create for you the images that your business needs with artificial intelligence: product, networks, advertising, illustration and avatars. You tell us what you want and we deliver it ready to use.

More info

AI Video Generation

We create videos with artificial intelligence for you: promotional, networking, virtual presenters, dubbing and animations. You tell us the idea and we will deliver it assembled and ready to publish.

More info

AI Conversational Avatars

We create conversational avatars with AI – digital humans with a face and voice – that serve your customers and teams with the knowledge of your company, on your website, interactive monitors, WhatsApp or Teams.

More info

Online Marketing and AI

Google Ads, Meta Ads, LinkedIn Ads and AI Engine Positioning (GEO/AEO): we attract customers and make your brand appear where they search for you, also on ChatGPT, Gemini and Perplexity.

More info

Do you have a project in mind?

Tell us your vision and we'll turn it into a software solution. Whatever the scope, we make your idea real.