PhantomRaven Malware

Cybersecurity researchers have uncovered a highly active software supply chain attack targeting the npm ecosystem. Over 100 malicious packages have been identified, capable of stealing sensitive developer credentials, including authentication tokens, CI/CD secrets, and GitHub credentials, directly from compromised machines.

The campaign, codenamed PhantomRaven, first emerged in August 2025. Since then, it has expanded to 126 npm libraries and garnered more than 86,000 installs, demonstrating the rapid spread and adoption of these malicious packages.

Malicious Packages Flying Under the Radar

Several of the flagged packages include:

• op-cli-installer – 486 downloads
• unused-imports – 1,350 downloads
• badgekit-api-client – 483 downloads
• polyfill-corejs3 – 475 downloads
• eslint-comments – 936 downloads

What makes PhantomRaven particularly insidious is its use of Remote Dynamic Dependencies (RDDs). Instead of fetching code from the official npm registry, the malicious packages point to a custom HTTP URL (packages.storeartifact.com). This allows npm to retrieve dependencies from an untrusted external source, effectively bypassing npmjs.com protections.

Traditional security scanners and dependency analysis tools fail to detect these RDDs, as automated systems see the packages as having '0 Dependencies.'

How the Attack Works

The attack chain begins as soon as a developer installs one of the seemingly benign packages. Key elements include:

Pre-install Hook Execution: The package contains a pre-install lifecycle script that automatically executes the main payload.

Remote Payload Retrieval: The script fetches the malicious dependency from the attacker-controlled server.

Data Exfiltration: Once executed, the malware scans the developer's environment for email addresses, gathers CI/CD environment details, fingerprints the system (including public IP), and sends the data to a remote server.

The attacker can modify the payload at will, initially serving harmless code to evade detection before pushing malicious updates once the package gains adoption.

Exploiting Human and AI Blind Spots

The choice of package names is deliberate. The threat actor leverages a tactic known as slopsquatting, where large language models (LLMs) hallucinate non-existent but plausible-sounding package names. Developers may trust these packages due to their realistic naming, unaware of the hidden threat.

As researchers note, PhantomRaven highlights the growing sophistication of attackers:

• Remote Dynamic Dependencies evade static analysis.
• AI-generated package names exploit developer trust.
• Lifecycle scripts execute automatically without user interaction.

This campaign underscores how malicious actors are finding novel ways to hide code in open-source ecosystems, exploiting gaps in traditional security tooling.

Why npm Is a Prime Target

The npm ecosystem's low friction for publishing packages, combined with the automatic execution of preinstall, install, and postinstall scripts, makes it a prime target. Attackers can hide malicious behavior within lifecycle scripts, often without the developer's knowledge, illustrating the need for heightened vigilance and robust security practices in modern development environments.