A sophisticated software supply chain attack, codenamed PhantomRaven, has compromised 126 npm packages, leading to the theft of sensitive GitHub tokens, CI/CD secrets, and developer credentials. The campaign, active since August 2025, has seen these malicious packages downloaded over 86,000 times, posing a significant threat to the open-source ecosystem.

Key Takeaways

• Widespread Infection: 126 malicious npm packages were identified, collectively downloaded more than 86,000 times.

• Stealthy Evasion: The attack utilizes Remote Dynamic Dependencies (RDD) to hide malicious code from standard security scanners.

• Credential Theft: The malware targets valuable secrets including npm tokens, GitHub Actions tokens, and CI/CD credentials.

• AI Exploitation: Attackers leverage "slopsquatting" by creating plausible package names, often suggested by AI tools, to trick developers.

PhantomRaven's Deceptive Tactics

The PhantomRaven campaign stands out due to its innovative evasion technique: Remote Dynamic Dependencies (RDD). Instead of listing traditional dependencies, these malicious packages point to external HTTP URLs. When a developer installs such a package, npm fetches code from an attacker-controlled server, bypassing registry security and making the package appear to have "0 Dependencies" to automated tools. This allows the attackers to serve completely harmless code initially, later pushing malicious versions after gaining trust.

The Attack Chain and Payload

The attack chain is initiated upon the installation of a compromised package. A pre-install hook within the package triggers the execution of the main payload, which operates automatically without user interaction. The malware is designed to scan the developer's environment for email addresses, gather information about CI/CD environments, and collect system fingerprints, including public IP addresses. This data is then exfiltrated to a remote server controlled by the threat actor.

Exploiting Trust and AI Hallucinations

Attackers have cleverly capitalized on "slopsquatting," a phenomenon where large language models (LLMs) hallucinate non-existent yet plausible-sounding package names. This tactic, combined with the use of innocuous package names and multiple npm accounts with disposable email addresses, makes it difficult for developers and security tools to distinguish malicious packages from legitimate ones. The malware's ability to execute arbitrary code via lifecycle scripts (like ) further enhances its stealth and effectiveness.

Impact and Detection Challenges

The stolen credentials, including npm authentication tokens, GitHub Actions tokens, GitLab CI credentials, and Jenkins secrets, could grant attackers access to sensitive repositories, CI/CD pipelines, and even the ability to publish their own malicious packages. The sophisticated nature of PhantomRaven highlights a new blind spot in traditional security tooling, as Remote Dynamic Dependencies are invisible to static analysis, and lifecycle scripts execute automatically. This campaign underscores the evolving threat landscape of software supply chain attacks and the need for advanced, dynamic defense mechanisms.

Sources

• PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs, The Hacker News.

• PhantomRaven Attack Uses 126 Malicious npm Packages with More Than 86,000 Downloads, Cyber Press.

• PhantomRaven Attack Discovered in 126 Malicious npm Packages, Exceeding 86,000 Downloads, GBHackers News.

• npm hit by PhantomRaven supply chain attack • The Register, The Register.

• PhantomRaven attack floods npm with credential-stealing packages, BleepingComputer.