Security researchers have uncovered a sophisticated campaign involving 148 malicious npm packages that covertly transformed students' web browsers into unwilling participants in a distributed denial-of-service (DDoS) botnet. According to research published by JFrog, these packages were disguised as legitimate student web proxy services and remained active for approximately two weeks in May, highlighting a troubling evolution in supply chain attack strategies targeting educational communities.

The attack vector was particularly insidious. Rather than targeting developers who might install these packages in their projects, the threat actors weaponized the npm registry itself as free hosting infrastructure for their malicious proxy sites.