PhantomRaven NPM Attack Steals Dev Data in 88 Packages
▼ Summary
– The PhantomRaven campaign is an ongoing npm supply-chain attack, first discovered in October 2025, which has published over 200 malicious packages to steal developer data.
– Attackers use ‘slopsquatting’ to mimic legitimate packages and a technique called Remote Dynamic Dependencies (RDD) to evade detection by fetching malware from external URLs during installation.
– The malware exfiltrates sensitive information like CI/CD tokens, system data, and email addresses from configuration files to the attacker’s command-and-control server.
– Despite using consistent infrastructure and nearly identical payloads, the attackers evolve by rotating accounts and modifying package metadata to stay operational.
– Developers are advised to verify package legitimacy, use reputable sources, and avoid unvetted AI chatbot suggestions to protect against such threats.
A concerning supply-chain campaign known as PhantomRaven continues to target the npm registry, deploying malicious packages designed to steal sensitive data from developers. Security researchers have identified new waves of this attack, which uses clever obfuscation techniques to evade detection and compromise development environments. The campaign relies on a method called ‘slopsquatting,’ where attackers publish packages with names that mimic legitimate projects or appear as plausible suggestions from AI chatbots. This tactic increases the likelihood that developers will inadvertently install these harmful components.
Initially discovered in late 2025, the operation has persisted with several subsequent waves through early 2026. In total, attackers have distributed 88 malicious packages across 50 disposable accounts in these recent phases. Alarmingly, a significant majority of these packages remain available for download on the public npm registry. The attackers’ strategy involves a sophisticated evasion technique known as Remote Dynamic Dependencies. Instead of embedding malicious code directly within the package, the `package.json` file points to an external URL. When a developer executes `npm install`, the tool automatically fetches and runs the harmful dependency from the attacker’s server, bypassing many automated security checks.
Once executed, the malware acts as a data harvester. It systematically collects a wide array of sensitive information from the infected system. This includes developer credentials and configuration data from files like `.gitconfig` and `.npmrc`, along with critical environment variables. The payload specifically targets CI/CD platform tokens from services like GitHub, GitLab, Jenkins, and CircleCI, which could grant attackers access to private code repositories and build pipelines. Furthermore, the malware gathers system information such as the IP address, hostname, operating system, and Node.js version to create a unique fingerprint of the compromised machine.
All stolen data is then transmitted to a command-and-control server controlled by the attackers. While HTTP GET requests are the primary method, the malware also uses HTTP POST and WebSocket connections as backup channels to ensure successful exfiltration. Analysis reveals a consistent infrastructure pattern across the attack waves, with domains containing the word ‘artifact’ and hosted on Amazon EC2 instances, notably without TLS certificates for encryption. The core malicious payload has shown remarkable consistency, with only minimal changes to its codebase across the entire campaign.
Despite this lack of sophistication in the payload itself, the attackers have demonstrated operational adaptability. They regularly rotate their npm and email accounts, tweak package metadata, and modify the PHP endpoints on their servers. The frequency of package publications has also increased, indicating a persistent and active threat. The ongoing nature of the PhantomRaven campaign underscores a significant risk in the open-source ecosystem, where trust in community packages can be exploited. Developers are strongly advised to exercise heightened caution by thoroughly verifying package sources, prioritizing dependencies from well-known and reputable publishers, and avoiding the direct use of unvetted code suggestions from AI tools or other unofficial sources.
(Source: Bleeping Computer)
