A complicated malware marketing campaign focusing on builders has been working since August 2025, deploying 126 malicious npm packages which have collectively gathered over 86,000 downloads.
The assault, now recognized as PhantomRaven, has been actively harvesting npm authentication tokens, GitHub credentials, and CI/CD pipeline secrets and techniques from builders throughout the globe whereas using superior detection evasion methods that bypass most safety instruments.
Koi analysts recognized the marketing campaign in October 2025 when their behavioral monitoring system, Wings, flagged suspicious community exercise throughout bundle set up processes.
All malicious packages had been making exterior requests to the identical suspicious area, revealing a coordinated operation.
The investigation by Koi researchers uncovered a staggering timeline: 21 packages had been initially detected and eliminated in August 2025, however attackers tailored their strategy, efficiently deploying 80 further packages between September and October that evaded detection mechanisms completely.
The attacker’s infrastructure demonstrates an attention-grabbing distinction between refined technical execution and surprisingly careless operational safety.
Sequential e mail accounts from free suppliers like [email protected] via [email protected], mixed with apparent usernames reminiscent of npmhell and npmpackagejpd, all clearly hint again to a single menace actor.
Regardless of this operational sloppiness, the technical supply mechanism represents a real innovation in provide chain assaults.
The malicious packages appeared utterly benign when reviewed on npmjs.com, displaying easy hiya world scripts with seemingly zero dependencies.
The npm UI exhibits 0 dependencies (Supply – Koi)
This phantasm was achieved via a way involving Distant Dynamic Dependencies, the place HTTP URLs function dependency specifiers relatively than conventional npm registry references.
The malicious code resided not within the reviewed bundle however in an invisible dependency fetched from packages.storeartifact.com at set up time, utterly bypassing static evaluation and dependency scanning instruments.
Distant Dynamic Dependencies Ship the Payload
Conventional npm dependencies reference packages hosted on npmjs.com utilizing normal model specifiers like “specific”: “^4.18.0”.
Nonetheless, npm helps an obscure function permitting HTTP URLs as dependency specifiers, formatted as “ui-styles-pkg”: ”
When builders set up packages containing these distant dependencies, npm routinely fetches the exterior sources with none safety validation or visibility.
Safety scanners and automatic evaluation instruments by no means observe these HTTP-based dependencies, treating packages as having zero dependencies regardless of the hidden malicious payload.
This creates an ideal blind spot the place the reviewed bundle seems utterly secure whereas the precise malicious code sits on attacker-controlled infrastructure.
The approach turns into much more harmful as a result of each set up fetches the dependency contemporary from the attacker’s server, enabling dynamic payload supply based mostly on the goal atmosphere.
As soon as the invisible dependency arrives on the sufferer’s system, npm’s automated lifecycle script execution ensures the malware prompts instantly.
The malicious bundle.json comprises a preinstall script outlined as “preinstall”: “node index[.]js” that executes routinely with none person immediate or warning.
This script runs no matter how deeply nested the malicious bundle sits inside the dependency tree, which means builders who set up seemingly authentic packages can unknowingly set off PhantomRaven’s execution via transitive dependencies.
After profitable set up, PhantomRaven systematically harvests e mail addresses from atmosphere variables, .gitconfig recordsdata, .npmrc configurations, and bundle.json writer fields.
The malware then targets CI/CD credentials together with GitHub Actions tokens, GitLab CI credentials, Jenkins authentication, CircleCI tokens, and npm publishing tokens.
Full system fingerprinting follows, accumulating public IP addresses, hostnames, working system particulars, Node.js variations, and community configurations to profile sufferer environments and establish high-value company networks versus particular person developer machines.
Observe us on Google Information, LinkedIn, and X to Get Extra Prompt Updates, Set CSN as a Most popular Supply in Google.
