140+ Malicious npm Packages Turned Web Proxies for Students Into a DDoS Botnet
- Package Count: JFrog uncovered 148 malicious npm packages, including ilovefemboys, miguelphonk, and charlie-kirk.
- Attack Method: The packages disguised as student web proxies weaponized visitor browsers into DDoS botnets.
- Active Window: The DDoS capabilities ran for roughly two weeks in May 2026 before reverting to adware.
A large npm malware campaign, dubbed Lucide Proxy, deployed 148 packages designed to enlist visiting browsers into distributed denial-of-service (DDoS) browser botnets while generating pop-under advertising revenue. The packages contained covert remote code execution (RCE) vectors and a high-performance Wisp-compatible WebSocket traffic generator.
Lucide Proxy Disguised as Student Tutoring Sites
The campaign presented itself as a web proxy application branded Lucide, disguised as tutoring landing pages named Riverbend Tutoring and Northstar Tutoring, JFrog reported on July 13, 2026, following a sandboxed local simulation. The proxy worked as advertised on the surface, allowing students to bypass school content filters to access games and blocked sites.
The first wave of packages was uploaded starting May 27, 2026, by the npm account iterminal3airporti, followed by a second wave on July 8, 2026, from the account ieerikakirki.
Rather than using install hooks, the packages abused the npm registry as a free, high-bandwidth CDN to host static browser application assets. Malicious packages included:
- charlie-kirk (versions 2.0.0 and 3.0.1),
- ilovefemboys,
- miguelphonk.
Remote Code Execution and HTTP Flood Payloads
Underneath the adware, the application loaded a mutable remote script from the GitHub account canyoupleasesaysomething, pointing to the changeable main branch with no Subresource Integrity (SRI) hash, meaning whoever controlled that GitHub account could alter the code running in every visitor's browser at will.
JFrog recovered a historical HTTP flood payload that issued unthrottled cross-origin POST requests every 500 milliseconds to the domain of the CAAN Academy of Nursing in Matteson, Illinois.
Wisp WebSocket Traffic Generator and Shared Infrastructure
A Wisp-compatible WebSocket traffic generator could open up to 1,024 concurrent sockets per visitor, forcing target proxy servers to process over 10,000 socket allocations and connection attempts per second and corresponding socket destructions.
JFrog traced the infrastructure to a GitHub organization called lucideproxy, and found that 90 of 93 identified deployment hostnames resolved to a single IP address, hosted in AS199524 (G-Core Labs).
After public security reporting began in late May, the operators stripped the DDoS modules from the packages, reverting the builds to adware-only functionality. The report mentions that SafeDep flagged the same terminal3airport package wave earlier but classified it only as adware/registry spam.
Early this month, Google announced the disruption of NetNut, a 2-million-device residential proxy network tied to the Popa Botnet. NetNut is populated via SDKs distributed on home devices like smart TVs and streaming boxes, covertly enrolling them in the botnet as exit nodes.








