Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks.
The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
Timeline
Oct 29, 2025
Koi Security publishes IOCs for PhantomRaven hunting
As cleanup began, Koi Security released indicators of compromise to help organizations identify exposure to the PhantomRaven npm supply-chain activity.
Oct 29, 2025
npm begins reviewing and removing PhantomRaven packages
Following disclosure, npm's security team was reported to be reviewing and removing the malicious packages from the registry as part of the response to the campaign.
Oct 29, 2025
Researchers link PhantomRaven to slopsquatting package names
Koi Security and DCODX said the threat actor appeared to use 'slopsquatting' by registering package names likely to be suggested by hallucinating LLM coding assistants, increasing the chance of developer installation.
Oct 29, 2025
Koi Security discloses Remote Dynamic Dependencies technique
Koi Security publicly reported that the packages hid malicious behavior through attacker-hosted Remote Dynamic Dependencies fetched from packages.storeartifact.com, making them appear to have zero dependencies to many scanners while executing via preinstall scripts.
Oct 29, 2025
PhantomRaven grows to 126 npm packages and 86,000+ downloads
By late October 2025, researchers reported the campaign had expanded to 126 malicious npm packages with more than 86,000 total downloads, targeting npm tokens, GitHub credentials, CI/CD secrets, and other developer data.
Aug 1, 2025
Initial wave of malicious npm packages is removed
Researchers said an initial wave of PhantomRaven packages was removed in August 2025 after appearing on npm, indicating the campaign had already been active before the later larger cluster was identified.
Aug 1, 2025
PhantomRaven campaign begins targeting npm
Koi Security assessed that the PhantomRaven software supply-chain campaign started in August 2025, with threat actors publishing malicious npm packages designed to steal developer credentials and secrets.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Affected Products
Sources
4 more from sources like arstechnica security, infosecurity magazine com, bleeping computer and dark reading
Related Stories
Malicious and Credential-Stealing npm Packages Target Developers via Obfuscation and Typosquatting
Multiple malicious npm packages have been discovered targeting developers by employing advanced obfuscation techniques and typosquatting to mimic popular legitimate packages such as *TypeScript*, *discord.js*, *ethers.js*, *nodemon*, and *Claude Code*. Security researchers revealed that these packages use up to four layers of obfuscation—including eval wrapping, XOR encryption, URL encoding, and control flow manipulation—to evade static analysis and conceal credential-stealing malware. The attack chain often begins with deceptive tactics, such as displaying fake CAPTCHAs, and proceeds to exfiltrate sensitive information like IP addresses and credentials to attacker-controlled servers. In one notable case, a package impersonating the official Anthropic CLI was found to proxy commands and data back to the threat actor, enabling both credential theft and remote command execution. These incidents highlight the persistent risks posed by weak validation and oversight in the npm ecosystem, allowing threat actors to publish lookalike packages that are difficult to distinguish from legitimate ones. The sophisticated payloads not only target local developer environments but can also compromise CI/CD pipelines, amplifying the potential impact. Security experts emphasize the need for improved package metadata validation and greater vigilance among developers to mitigate the risk of supply chain attacks through open-source dependencies.
1 months ago
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
1 months ago
PhantomRaven Campaign Uses 88 Malicious npm Packages to Steal Developer Secrets
Researchers reported a renewed **PhantomRaven** software supply chain campaign on the npm registry involving **88 malicious packages** masquerading as trusted JavaScript ecosystem projects, including packages themed around *Babel* and *GraphQL Codegen*. The packages were published across three waves from late 2025 into early 2026 and were designed to automatically fetch and run malware after installation, targeting developers and build environments rather than end users. The activity is not fluff: it is a substantive threat intelligence and malware distribution story involving active credential theft through open-source package abuse. The malware exfiltrates sensitive data from developer systems and CI/CD environments, including emails and configuration data from `.npmrc`, `.gitconfig`, and environment variables, as well as tokens for **GitHub**, **GitLab**, **CircleCI**, and **Jenkins**. Reporting indicates PhantomRaven has kept core infrastructure and payload behavior broadly consistent since earlier activity, while adapting operational details by rotating npm and email accounts, changing package metadata and PHP endpoints, and increasing the pace of malicious package publication. Most of the packages were reportedly still available for download at the time of reporting, underscoring continued exposure for organizations that rely on npm-based development workflows.
1 months ago