PhantomRaven Campaign Uses 88 Malicious npm Packages to Steal Developer Secrets
Researchers reported a renewed PhantomRaven software supply chain campaign on the npm registry involving 88 malicious packages masquerading as trusted JavaScript ecosystem projects, including packages themed around Babel and GraphQL Codegen. The packages were published across three waves from late 2025 into early 2026 and were designed to automatically fetch and run malware after installation, targeting developers and build environments rather than end users. The activity is not fluff: it is a substantive threat intelligence and malware distribution story involving active credential theft through open-source package abuse.
The malware exfiltrates sensitive data from developer systems and CI/CD environments, including emails and configuration data from .npmrc, .gitconfig, and environment variables, as well as tokens for GitHub, GitLab, CircleCI, and Jenkins. Reporting indicates PhantomRaven has kept core infrastructure and payload behavior broadly consistent since earlier activity, while adapting operational details by rotating npm and email accounts, changing package metadata and PHP endpoints, and increasing the pace of malicious package publication. Most of the packages were reportedly still available for download at the time of reporting, underscoring continued exposure for organizations that rely on npm-based development workflows.
Timeline
Mar 12, 2026
Researchers report PhantomRaven's return with 88 bad npm packages
Reports published on March 12, 2026 disclosed that PhantomRaven had returned to npm with 88 malicious packages and had adapted its operation by rotating npm and email accounts, changing package metadata and PHP endpoints, and increasing publication pace.
Nov 1, 2025
Malicious npm packages deliver info-stealing malware
According to Endor Labs, installing the packages automatically downloaded and executed malware that stole developer emails, system details, and sensitive credentials from configuration files, environment variables, and CI/CD platforms.
Nov 1, 2025
PhantomRaven launches three new npm attack waves
Between November 2025 and February 2026, PhantomRaven conducted three new waves of attacks using 88 malicious npm packages impersonating trusted projects such as Babel and GraphQL Codegen.
Aug 1, 2025
PhantomRaven begins npm supply-chain activity
Endor Labs said PhantomRaven's infrastructure has remained broadly consistent since its initial activity in August 2025, marking the start of the campaign targeting the npm ecosystem.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Malware
Organizations
Sources
Related Stories
npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using **malicious npm packages** to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that **UNC6426** leveraged keys stolen during the earlier compromise of the *nx* npm ecosystem to pivot from a stolen developer GitHub token into **AWS administrative access within 72 hours**, abusing **GitHub-to-AWS OpenID Connect (OIDC) trust** to create a new admin role. The actor then used that access to **exfiltrate data from AWS S3** and conduct **destructive actions** in production cloud environments; the initial *nx* compromise involved a GitHub Actions `pull_request_target` workflow abuse (“**Pwn Request**”) that enabled publishing trojanized packages containing a `postinstall` chain that executed the **QUIETVAULT** JavaScript credential stealer and uploaded stolen data to a public GitHub repo (`/s1ngularity-repository-1`). Separately, researchers reported new waves of the **PhantomRaven** npm supply-chain campaign distributing **88 additional malicious packages** (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like `.gitconfig` and `.npmrc`, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses **slopsquatting** (LLM-suggested lookalike package names) and a stealth technique called **Remote Dynamic Dependencies (RDD)**, where `package.json` pulls a dependency from an external URL so the malicious payload is fetched at install time (`npm install`) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
1 months ago
Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks. The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
1 months ago
Developer-Focused Supply Chain Malware via Malicious Open-Source Packages
Security researchers reported multiple **software supply chain** campaigns targeting developers through malicious packages in public repositories, aiming to steal credentials/secrets and establish persistent access that can later impact production environments. Socket disclosed a campaign dubbed **StegaBin** involving **26 malicious npm packages** published over a two-day window that used a Pastebin “dead-drop” with **character-level steganography** to conceal C2 details, then resolved additional infrastructure across **31 Vercel deployments** to deliver platform-specific shell payloads that install a RAT and a **nine-module infostealer** targeting VSCode data, SSH keys, git repositories, browser credential stores, clipboard contents, and other local secrets. Socket assessed the tradecraft as consistent with activity previously attributed to **North Korea-aligned FAMOUS CHOLLIMA (Lazarus-linked)** and noted rapid detection of the packages shortly after publication. Separately, reporting highlighted **four malicious NuGet packages**—`NCryptYo`, `DOMOAuth2_`, `IRAOAuth2.0`, and `SimpleWriter_`—that targeted **ASP.NET** developers by exfiltrating **ASP.NET Identity** data (users/roles/permissions) and enabling backdoors; the packages were published in August 2024, accumulated **4,500+ downloads**, and were later removed. In that campaign, `NCryptYo` functioned as a dropper and proxy to an attacker-controlled C2, while `DOMOAuth2_` and `IRAOAuth2.0` handled data theft and backdoor rule delivery, and `SimpleWriter_` enabled file writing and hidden process execution while masquerading as a PDF utility. Other items in the set described unrelated C2 tooling trends (a Polygon blockchain-based botnet loader and the Vshell C2 framework) and do not describe the same package-repository supply chain incidents.
2 days ago