Researchers uncovered 27 malicious npm packages used over five months to host phishing pages that steal credentials from targeted organizations.