Fake Cloudflare page hidden in an npm package redirects victims to a phishing site

A newly published npm package called china_airlines contains no software at all. It is a single web page dressed up as a Cloudflare "Performing security verification" screen, and once a visitor clears the check the page quietly forwards the browser to an attacker-controlled domain. Security researcher osj (@inf0stache) flagged it on July 3, calling it the first time he had seen the "ClickFix" fake-verification trick shipped inside an npm package.

The package is the trap

Install the package and there is nothing to import. It ships just two files, an index.html and a package.json that points main straight at the HTML, about 25 KB unpacked. The page is a near-pixel clone of Cloudflare's "Just a moment..." interstitial. It even loads the genuine Cloudflare Turnstile widget from challenges.cloudflare[.]com, so a real "verify you are human" checkbox appears and passes, lending the fake an air of legitimacy. A short script invents a fake "Ray ID" in the browser so the screen looks authentic. At the bottom sits a heavily obfuscated blob that, once unwound, is only about seven lines: an onTurnstileComplete handler that rebuilds the current query string and redirects the visitor to hxxps://login.microcloud[.]homes/, carrying the original URL parameters along for the ride.

One account, ten look-alike packages aimed at Taiwan

The package is not a one-off. The same publisher, henryp52uflores[at]gmx[.]com, pushed ten near-identical packages to npm between June 27 and July 3, each a two-file, roughly 25 KB bundle with no description and no source repository. Two of the names give the game away. One is literally called login.microcloud.homes, the exact domain the china_airlines page redirects to. Another, ms_aidc_com_tw, mimics aidc.com[.]tw, the site of Aerospace Industrial Development Corporation (AIDC), Taiwan's state-owned aerospace and defense manufacturer. China Airlines is Taiwan's flag carrier, so the lure names cluster tightly around Taiwanese aviation and aerospace targets. The account's remaining uploads are random-string packages that look like staging or test runs for the same payload. The redirect domain microcloud[.]homes was registered on June 3, 2026 and sits behind Cloudflare.

What ClickFix is, and the npm twist

ClickFix is a fast-growing social-engineering technique in which a fake error or "verify you are human" page nudges the victim toward the attacker's next step, whether that is pasting a command into a terminal or, as here, being funneled onward to a phishing destination. Fake Cloudflare and Turnstile screens are a staple of the genre. What stands out about china_airlines is the delivery vehicle. The fake page is not planted on a hacked website but published on the npm registry itself, where it can be served straight off a public CDN. That is an unusual home for a phishing lure, though not without precedent, as researchers have documented npm packages hosting fake-verification and redirect pages before, part of a broader run of registry supply-chain abuse over the past year.

Who is behind it

Attribution is unsettled. Repliers to the original post floated North Korea's Famous Chollima, a cluster well known for planting malware in npm, and the financially motivated npm worm crew TeamPCP. osj was skeptical of both, and nothing in the package metadata, a free GMX webmail address and Taiwan-themed lures, ties it to a named group. Treat any attribution as speculation for now.

What you should do

As of July 5 the china_airlines package was still live on npm with no security advisory or malware flag against it. Do not judge a package by a plausible-looking name. A package that ships only HTML and no importable code is a red flag, and an "airline" or "login" package has no business in your dependency tree. Block and hunt for traffic to login.microcloud[.]homes and microcloud[.]homes, and review any developer machine that installed one of these packages. Indicators, defanged: package china_airlines (tarball sha1 701cb11122e882631327e44d3d53f3a72b73a839); publisher henryp52uflores[at]gmx[.]com; redirect to hxxps://login.microcloud[.]homes/; sibling packages login.microcloud.homes and ms_aidc_com_tw.

This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.

Read the full analysis on IntelFusions