Fake Student Proxies on npm Turned Browsers Into a DDoS Weapon
Researchers at JFrog say 148 malicious packages used the npm registry as free hosting for a booby-trapped proxy site, quietly enlisting students' browsers into a two-week attack campaign in May.

Key points
- JFrog researchers found 148 malicious npm packages that ran for roughly two weeks in May 2024.
- The packages posed as free web proxies aimed at students trying to bypass school internet filters.
- Instead of attacking developers, the operation turned visiting students' browsers into a distributed denial-of-service botnet.
- The attackers used npm, a public code registry run by GitHub, as free hosting for their trap site.
- JFrog reported the packages to npm, which has since removed them.
A cluster of 148 malicious packages sat on npm, the world's largest public library of open-source JavaScript code, for about two weeks in May. They pretended to be free web proxies, the kind of tool a student might search for to get around a school's blocked-sites list. Anyone who visited the proxy site got quietly drafted into a botnet, a network of hijacked devices used to flood a target website with traffic until it falls over.
The research comes from security firm JFrog and was first written up by The Hacker News.
What makes this campaign unusual is the target. Most malicious npm packages go after software developers, since developers are the people who actually install packages. Here, the developers were never the mark. The attackers used npm the way someone else might use a free web host: as a cheap, reputable place to park a website.
How did this actually work?
The attackers uploaded 148 packages, each one containing a small proxy website. Students looking for a way around school filters found the sites, loaded them in a browser, and started using them to visit blocked pages.
While the proxy did its job, hidden JavaScript in the page turned the student's browser into a foot soldier. Every open tab quietly fired requests at a target chosen by the attackers. Multiply that by thousands of bored teenagers on lunch break and you have a working distributed denial-of-service attack, where huge amounts of junk traffic overwhelm a website and knock it offline.
The students had no idea. The proxy loaded the sites they wanted. The attack ran in the background.
Why use npm as a host?
Because it is free, trusted, and fast. Npm is designed to serve code to millions of developers around the world, so its content delivery network is quick and rarely blocked. School filters that would flag a random Russian-hosted proxy site tend to wave npm traffic through without a second glance.
That is the clever bit. The attackers did not need to compromise anything. They just abused a legitimate free service in a way its operators did not anticipate.
Who is behind it?
JFrog has not linked the campaign to any named group, and there is no public attribution yet. This looks more like criminal or hobbyist DDoS-for-hire activity than nation-state work. The tradecraft is opportunistic, the payload is unsophisticated, and the victim pool (schoolchildren) is not what an espionage crew would bother with. Treat any attribution beyond that as speculative.
JFrog reported the packages to npm's security team, and they have been taken down.
What should ordinary people take from this?
If you are a parent or a teacher, the practical lesson is simple. Free proxy sites, VPNs of unknown origin, and "unblocker" tools are a common way for young people to pick up hidden malware or, as here, get quietly conscripted into attacks on other people's websites. The site looks harmless. The browser tab is doing something else.
For companies, the wider point is that public code registries are being used as generic free hosting by criminals. Blocking or monitoring outbound traffic to raw npm content URLs from user browsers, as opposed to developer machines, is worth a look.



