How Do NPM Packages Turn Student Proxies Into a DDoS Botnet?

How Do NPM Packages Turn Student Proxies Into a DDoS Botnet?

The digital landscape is increasingly being reshaped by clever social engineering tactics that bypass traditional security perimeters by offering teenagers access to restricted entertainment within educational environments. Instead of targeting developers through the usual dependency confusion or typosquatting techniques, a massive campaign involving nearly one hundred and fifty npm packages leveraged the universal desire of students to circumvent school web filters. These packages, disguised under names like Lucide and Northstar Tutoring, functioned as student proxies designed to unblock games and social media sites, but they harbored a much darker purpose beneath their helpful interfaces. By convincing users to host these proxies, the threat actors effectively transformed innocent web browsers into active nodes within a coordinated distributed denial-of-service infrastructure. This strategy represents a significant departure from standard malware delivery because it treats the npm registry as a hosting platform for malicious web applications rather than just a source of code dependencies.

Mechanisms of Remote Execution: The G2 and I2 Modules

At the core of this operation was the G2 module, a sophisticated piece of JavaScript designed to act as a remote script loader by pulling dynamic payloads from the jsDelivr content delivery network. This mechanism allowed the attackers to maintain absolute control over the behavior of the infected proxies without having to republish the npm packages themselves each time a change was needed. When a student accessed one of these proxy sites, the G2 module would silently fetch the latest instruction set, which often included high-volume HTTP flood commands that forced the browser to upload massive quantities of data to specific targets every few hundred milliseconds. By utilizing a legitimate CDN like jsDelivr, the malicious traffic often blended in with standard web activities, making it exceptionally difficult for signature-based detection systems to identify the threat. This dynamic loading capability meant that a seemingly benign proxy could be weaponized into a powerful attack tool in real-time, depending on the current objectives of the botnet operators.

Complementing the raw volumetric power of the HTTP flood was the I2 module, which utilized the Wisp protocol to orchestrate complex control-plane attacks through the creation of over a thousand simultaneous WebSocket connections. While standard DDoS attacks usually aim to overwhelm a target’s bandwidth, the I2 module targeted the internal logic and processing limits of the destination servers by exhausting their file descriptors and memory. By rapidly opening and cycling through these connections, the malware could crash proxy services and web servers even if those servers had significant network capacity to spare. This dual-pronged approach allowed the botnet to be versatile, switching between brute-force data floods and more surgical resource exhaustion tactics based on the defenses encountered at the target. Because these connections originated from a diverse pool of residential and educational IP addresses, traditional geographic blocking or IP-based rate limiting proved largely ineffective at stopping the onslaught of traffic.

Tactical Shifts: From Dependency Poisoning to Client-Side Exploitation

The emergence of the Lucide campaign highlights a pivotal shift in how malicious actors view the open-source software supply chain as a whole. Historically, npm-based threats focused on compromising the development pipeline, such as the Shai-Hulud worm which sought to steal credentials or inject backdoors into production code. However, this new wave of attacks focuses on the consume side of the ecosystem, where the packages are not intended to be used as building blocks for other software but rather as standalone web applications served directly to end-users. This pivot allows attackers to bypass many of the sophisticated security scanners used by enterprise developers, as these tools are primarily designed to look for vulnerabilities in code dependencies rather than malicious behavior in a hosted front-end application. By targeting students who are likely to ignore security warnings in exchange for access to restricted websites, the threat actors found a large and renewable source of zombie nodes that reside outside the traditional corporate network defenses.

The operation evolved rapidly from a simple adware scheme starting in early 2024 to a weaponized DDoS tool, with researchers continuing to track its modifications through the current progress seen in 2026. Even after initial detection led the operators to strip the malicious modules and revert to an adware-only state, the infrastructure remained in place. Because the packages maintained the remote loader, the entire botnet could be re-armed instantly with a single update to a GitHub repository, demonstrating a high level of operational flexibility. Since the start of 2026, security analysts have observed a renewed push to diversify these payloads across different CDN providers to further obfuscate the source of the malicious commands. This ongoing evolution highlights a persistent threat model where the attackers utilize a modular approach to maintain their foothold in the browser, ensuring that the infrastructure remains viable for multiple types of exploitation depending on the current market demand for botnet services.

Infrastructure Vulnerabilities: The Gap in Registry Monitoring

One of the most concerning aspects of this campaign was the ease with which the attackers flooded the npm registry with over a hundred malicious packages in a mere thirty-five-minute window. This rapid-fire publishing strategy suggests that current automated defenses on public registries are largely unequipped to handle the mass-uploading of non-traditional web content that does not follow the patterns of standard software libraries. The attackers leveraged juvenile handles and centralized hosting providers, yet their activity remained largely undetected by the registry’s internal monitoring systems until significant damage had already been done. This reveals a critical blind spot in the governance of open-source repositories, which have traditionally relied on the assumption that packages are meant to be used by other developers. When these platforms are instead repurposed as free, high-availability content delivery networks for malicious applications, the existing trust models begin to break down, necessitating a radical rethink of how content is vetted.

Effectively defending against these types of distributed threats requires a multi-layered security strategy that moves beyond traditional antivirus or endpoint detection systems. Since the malware operates within the context of the web browser, network administrators in educational and corporate environments must prioritize DNS-level blocking of the domains associated with the proxy infrastructure to cut off the head of the operation. Furthermore, the persistent nature of modern web technologies means that simply closing a browser tab is often insufficient to stop the malicious activity, as Service Workers can continue to execute logic in the background. Users who have interacted with these proxy sites are advised to clear their local storage and explicitly unregister any persistent scripts to ensure that their devices are no longer contributing to the botnet’s traffic. This incident highlights the necessity of maintaining strict browser hygiene and implementing granular controls over what types of web-based applications are allowed on devices.

Strategic Responses: Strengthening the Software Supply Chain

The success of the Lucide campaign demonstrated the inherent vulnerabilities present when public registries were used as a delivery mechanism for malicious client-side applications. It proved that the definition of a malicious package had to be expanded beyond just backdoored code to include any content that repurposed the browser’s capabilities for unauthorized activities. To address these risks, security teams implemented more rigorous monitoring of unusual publishing patterns and adopted tools that specifically scrutinized front-end scripts hosted on content delivery networks. Administrators prioritized the removal of persistent web workers and cleared local storage on affected machines to prevent the long-term residency of malicious logic. This incident served as a catalyst for a more holistic approach to software supply chain security, where the focus shifted toward the behavior of the application at the point of consumption by various users. By integrating behavioral analysis with traditional registry vetting, the community moved closer to a model that neutralized these botnets.

The broader ecosystem responded to these threats by developing advanced browser-level protections that limited the execution of scripts from unverified sources within educational networks. Organizations recognized that the traditional trust in open-source repositories needed to be supplemented with real-time analysis of network traffic and endpoint behavior. In 2026, registry operators introduced more stringent identity verification processes for mass uploads to prevent the rapid propagation of weaponized web content. Furthermore, the industry moved toward a standard of least privilege for Service Workers, ensuring that background processes could not be easily hijacked for volumetric attacks. These proactive measures transformed the landscape into a more resilient environment where the risks of client-side exploitation were mitigated through a combination of technical controls and better user awareness. The lessons learned from this event ensured that the community remained vigilant against the evolving tactics of those seeking to exploit the open-source registry for malicious gain.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later