Once executed, the malware gathers a range of sensitive information from the developer’s environment. This includes email addresses, system details, and credentials from CI/CD platforms such as GitHub Actions, GitLab CI, Jenkins, and CircleCI.
The stolen data is then transmitted to attacker-controlled servers using multiple redundant techniques, including HTTP GET, POST requests, and even WebSocket connections, ensuring exfiltration across different network environments. Because the malicious code never appears directly in the npm package itself, traditional scanning tools that focus on package contents fail to flag it.
Operational patterns challenge “research experiment” claim
Despite the new waves, PhantomRaven’s core functionality has remained largely unchanged, the researchers said. They found that 257 out of 259 lines of the malware payload are identical across all waves, with the only significant modification being the command-and-control domain used to receive stolen data.
