Cybersecurity researchers have discovered another active software supply chain attack campaign targeting the npm registry that contains over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developer machines.
The campaign has been codenamed PhantomRaven by Koi Security. This activity is estimated to have started in August 2025, when the first package was uploaded to the repository. Since then, we’ve grown to a total of 126 npm libraries and amassed over 86,000 installations.
Some packages are also flagged by DevSecOps company DCODX.
op-cli-installer (486 downloads) used-imports (1,350 downloads) badkit-api-client (483 downloads) Polyfill-corejs3 (475 downloads) eslint-comments (936 downloads)
What makes this attack unique is the attacker’s pattern of hiding malicious code in dependencies by specifying a custom HTTP URL, and then retrieving the malicious code from a website that npm does not trust (in this case, “packages.storeartifact”).[.]com”), as opposed to npmjs[.]com each time a package is installed.
“And npmjs[.]com is not following those URLs,” security researcher Oren Yomtov said in a report shared with The Hacker News. “Security scanners will not pick up those URLs; dependency analysis tools will ignore them. These packages will show up as ‘0 dependencies’ to all automated security systems.” ”
Even more worrying, the fact that the URL is controlled by the attacker means that it can be exploited by malicious actors to tweak the payload and deliver all sorts of malware, making it more stealthy by first providing completely benign code before pushing out malicious versions of dependencies once the package has been widely adopted.
The attack chain begins as soon as a developer installs one of the “secure” packages, retrieving remote dynamic dependencies (RDDs) from an external server. The malicious package comes with a preinstallation hook that triggers the execution of the main payload.
The malware is designed to scan email addresses in the development environment, gather information about the CI/CD environment, collect system fingerprints including public IP addresses, and exfiltrate the results to a remote server.
Koi Security said that the choice of package names is not random, and that the attackers are using a phenomenon called slopsquatting, where large-scale language models (LLMs) hallucinate non-existent but plausible-sounding package names, to register these packages.
“PhantomRaven shows how advanced attackers conduct their attacks. [better] “It’s hard to exploit the blind spots of traditional security tools,” Yomtov said, adding, “Remote dynamic dependencies are invisible to static analysis. AI illusions create plausible-sounding package names that developers trust, and lifecycle scripts run automatically without user interaction.”
This development once again shows how threat actors are finding new ways to hide malicious code in the open source ecosystem and fly under the radar.
“The npm ecosystem makes publishing packages easier and less frictional,” DCODX said. “Lifecycle scripts (preinstallation, installation, postinstallation) execute arbitrary code during installation, often without the developer’s knowledge.”
Source link
