PhantomRaven

PhantomRaven is the name given by Koi Security to a software supply chain campaign targeting developers through malicious npm packages. The activity is assessed to have begun in August 2025 and involved 126 malicious npm packages that accumulated more than 86,000 downloads. The packages were designed to steal authentication tokens, CI/CD secrets, GitHub credentials, npm tokens, environment variables, system metadata, email addresses, public IP information, and other developer secrets from compromised machines. The campaign used a technique described as Remote Dynamic Dependencies (RDD), in which npm dependencies are specified via attacker-controlled external URLs rather than standard npm-hosted packages. This caused some packages to appear to automated tools as having "0 dependencies" while still fetching malicious code at install time from infrastructure including packages.storeartifact.com. The fetched dependency executed automatically through npm lifecycle scripts, including preinstall hooks. Because the dependency content was hosted externally, operators could change payloads over time, selectively deliver benign content to researchers, and serve malicious payloads to corporate networks or other chosen targets based on request characteristics such as IP address. Koi Security also reported that the campaign leveraged "slopsquatting": registering plausible package names that may be hallucinated by large language models and then recommended by AI coding assistants. According to the reporting, some victims installed these packages based on AI-generated recommendations. Koi Security and related reporting also noted packages in the wild that included PhantomRaven malware as dependencies. The campaign specifically targeted developers and developer environments. Reported package examples associated with the activity include op-cli-installer, unused-imports, badgekit-api-client, polyfill-corejs3, and eslint-comments. Some reporting stated that certain packages impersonated tools from GitLab and Apache. Koi Security published indicators of compromise and said npm was reviewing and removing the malicious packages. Separately, Endor Labs reported malicious npm packages initially linked to PhantomRaven, but later noted they were claimed to have been created by a security researcher as part of a legitimate experiment; Endor Labs challenged that claim, citing excessive data collection, lack of transparency, and rotated publisher identities. This caveat applies to that subset of reporting. No nation-state attribution is stated in the provided content. No aliases beyond the same-name form "phantomraven" are provided in the content.