Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers’ machines.
The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs.
Some of the packages have also been flagged by the DevSecOps company DCODX –
- op-cli-installer (486 Downloads)
- unused-imports (1,350 Downloads)
- badgekit-api-client (483 Downloads)
- polyfill-corejs3 (475 Downloads)
- eslint-comments (936 Downloads)
What makes the attack stand out is the attacker’s pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case, “packages.storeartifact[.]com”) as opposed to npmjs[.]com each time a package is installed.
“And npmjs[.]com doesn’t follow those URLs,” security researcher Oren Yomtov laid out in a report shared with The Hacker News. “Security scanners don’t fetch them. Dependency analysis tools ignore them. To every automated security system, these packages show ‘0 Dependencies.'”
More worryingly, the fact that the URL is attacker-controlled means that it can be abused by the bad actor to tailor their payloads and serve any kind of malware, and make it more stealthy by initially serving completely harmless code before pushing a malicious version of the dependency after the package gains broader adoption.
The attack chain kicks off as soon as a developer installs one of the “benign” packages, which, in turn, leads to the retrieval of the remote dynamic dependency (RDD) from the external server. The malicious package comes with a pre-install hook that triggers the execution of the main payload.
The malware is designed to scan the developer environment for email addresses, gather information about the CI/CD environment, collect a system fingerprint, including the public IP address, and exfiltrate the results to a remote server.
Koi Security said the choice of the package names is not random, and that the threat actor has resorted to capitalizing on a phenomenon called slopsquatting – where large language models (LLMs) hallucinate non-existent yet plausible-sounding package names – in order to register those packages.
“PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling,” Yomtov said. “Remote Dynamic Dependencies aren’t visible to static analysis. AI hallucinations create plausible-sounding package names that developers trust. And lifecycle scripts execute automatically, without any user interaction.”
The development once again illustrates how threat actors are finding novel ways to hide malicious code in open-source ecosystems and fly under the radar.
“The npm ecosystem allows easy publishing and low friction for packages,” DCODX said. “Lifecycle scripts (preinstall, install, postinstall) execute arbitrary code at install time, often without developer awareness.”
