A recent SANS ISC diary describes a phishing page built as a React single‑page application that exfiltrates credentials via the EmailJS API. The lure arrived as a WeTransfer notification, directing victims to a fake Dropbox Transfer portal where a login prompt requested an e‑mail address and password before access to the purported files would be granted.
The page’s JavaScript bundle, main.90eaa1b0[.]js, confirms the use of React and shows that credentials are sent through EmailJS, with the code fragments indicating a POST request to the EmailJS API and the inclusion of service and template IDs. Additionally, the script queries the Geoapify IP information API to gather geographic data about the victim, which was intended to be sent to the attackers along with the harvested credentials.
The phishing domain and EmailJS identifiers listed as IoCs are crimson-pine-6e12.gstmfhxzvbxk.workers[.]dev, service_t8yu1k1 and template_vszijae. Published on 13 March 2026, the diary notes that the kit’s use of a React front end and a third‑party exfiltration service could aid evasion of basic static HTML filters.