In a twist that can only be described as a career pivot worthy of a LinkedIn success story, 27 npm packages have reportedly decided to dabble in the glamorous world of phishing. That’s right, folks—now your innocent-looking software dependencies are moonlighting as top-tier credential thieves, finally realizing their full potential in the lucrative cybercrime industry.

Sources report that these packages, distributed across six npm aliases, are specifically targeting sales and commercial personnel, perhaps under the assumption that these professionals are too busy hitting their quarterly targets to notice they’re being robbed blind. Who knew those sales conferences and commercial meetings were a veritable goldmine for phishing attempts?

Cybersecurity experts are on high alert, but in the meantime, npm packages are enjoying their newfound fame. They’ve been spotted at all the elite cybercrime soirées, sipping virtual martinis and chuckling about the good old days when they were nothing more than overlooked lines of code. Truly, a story of digital rags to riches.