Northstar Tutoring A.I CyberSecurity Scoring
Northstar Tutoring
Company Information
Website:https://www.northstartutoring.org/
Employees number:11
Number of followers:126
NAICS:8135
Industry Type:Non-profit Organizations
Homepage:northstartutoring.org
Northstar Tutoring Risk Score (AI oriented)
Between 700 and 749
Northstar TutoringNon-profit Organizations
Updated:
14/07/2026
14/07/2026
736/1000
Moderate
Ba
Northstar Tutoring Global Score (TPRM)
xxxx
Northstar TutoringNon-profit Organizations
Score locked

Northstar TutoringModerate
Current Score
736Ba (MODERATE)
01000
1 incidents
-27 avg impact
Incident timeline with MITRE ATT&CK tactics, techniques, and mitigations.
JULY 2026
736
JUNE 2026
736
MAY 2026
762
Cyber Attack
27 May 2026 • Northstar Tutoring
npm and Northstar Tutoring: 150+ npm Packages Promises Wi-Fi Bypass Students Using Their Systems for DDoS Attack
Malicious npm Packages Disguised as School Wi-Fi Bypass Tools Hijack Browsers for DDoS Attacks
735
HIGH-27
NORNPM1784025857
Malicious npm Packages Disguised as School Wi-Fi Bypass Tools Hijack Browsers for DDoS Attacks
Researchers from JFrog and SafeDep uncovered a campaign involving nearly 150 malicious npm packages masquerading as legitimate school Wi-Fi bypass tools. The packages, branded under names like Lucide Proxy, Riverbend Tutoring, and Northstar Tutoring, promised students access to blocked websites and games while covertly loading harmful code in the background.
Unlike traditional npm-based attacks that infect developers during installation, these packages functioned as delivery mechanisms for browser-based proxy pages. Visitors to the hosted sites were exposed to popunder ads, tracking scripts, and during a key period in late May traffic-flooding code designed to turn browsers into unwitting participants in DDoS attacks.
The campaign operated in waves, with the first detected on May 27 and a second on July 8, bringing the total to 148 packages. While many were removed, some remained available at the time of disclosure. The attack leveraged npm’s infrastructure to distribute static web assets, then dynamically altered functionality via external scripts after visitors loaded the pages.
### How the Attack Worked
The proxy services appeared to work as advertised, routing traffic to bypass restrictions while silently executing additional code. A service worker intercepted navigation events and injected scripts that:
- Generated popunder ads after user interaction.
- Loaded remote JavaScript from a mutable GitHub branch, allowing operators to update malicious payloads without republishing npm packages.
- Flooded targets with traffic, including repeated large POST requests to an education-related site, capable of generating ~2 MB of upload traffic per second per browser. A thousand active users could produce ~2 GB/s, enough to disrupt services.
- Abused WebSocket connections, rapidly opening and closing links to strain server resources.
The remote loader and DDoS components were later removed, but the ability to fetch live scripts from external sources remained a persistent risk.
### Impact and Detection Challenges
The campaign’s design made it difficult to detect and mitigate:
- Victims weren’t limited to developers anyone visiting the proxy pages, including students, could unknowingly contribute browser resources.
- Takedowns were hindered by the use of multiple package names and hosting locations.
- Endpoint security tools focused on package installation might miss infections, as the malicious code executed post-page load.
Security teams are advised to block the identified infrastructure domains, review web filtering logs for visits to tutoring-themed proxy pages, and monitor for unusual browser upload activity. Indicators of compromise (IoCs) include domains like whatsadmaidk[.]com, changiairportpromax[.]com, and IP addresses such as 92.38.177.17 and 53.75.225.178, along with specific file hashes and URLs tied to the campaign.
INCIDENT DETAILS -
TYPE
MOTIVATION
IMPACT
REFERENCES
APRIL 2026
762
MARCH 2026
762
FEBRUARY 2026
762
JANUARY 2026
762
DECEMBER 2025
762
NOVEMBER 2025
762
OCTOBER 2025
762
SEPTEMBER 2025
762
AUGUST 2025
762
Frequently Asked Questions
?
What is the current A.I Rankiteo Cyber Score for Northstar Tutoring ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in June 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in May 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in April 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in March 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in February 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in January 2026 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in December 2025 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in November 2025 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in October 2025 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in September 2025 ??
What was Northstar Tutoring's A.I Rankiteo Cyber Score in August 2025 ??
What is the average per-incident point impact on Northstar Tutoring's A.I Rankiteo Cyber Score over the past 12 months ??
Where can I access detailed records of all cyber incidents associated with Northstar Tutoring ??
Where can I find a summary of the A.I Rankiteo Risk Scoring methodology ??
Where can I view Northstar Tutoring's profile page on Rankiteo ??
How accurate is the A.I Rankiteo Risk Scoring methodology ?