Executive Summary

A sophisticated supply chain attack campaign, codenamed PhantomRaven, has been discovered targeting the npm ecosystem. At least 126 malicious npm packages have been identified, collectively downloaded over 86,000 times. These packages are designed to steal GitHub tokens, CI/CD secrets, and authentication credentials from developers’ environments. The campaign leverages advanced evasion techniques, including remote dynamic dependencies and AI-generated plausible package names (slopsquatting), making detection by traditional security tools extremely difficult.

Technical Details

Attack Vector

• Initial Infection: Developers install a seemingly benign npm package.

• Remote Dynamic Dependency (RDD): The package’s manifest points to a dependency hosted on an attacker-controlled server (e.g.,

  packages.storeartifact.com

  ), not on npmjs.com.

• Lifecycle Script Abuse: A

  preinstall

  hook triggers the download and execution of the malicious payload.

• Stealth: The remote dependency is not visible to static analysis or dependency scanners, and the attacker can serve benign code initially, switching to malicious payloads later.

Malicious Behavior

• Environment Reconnaissance: Scans for email addresses, CI/CD environment details, and system fingerprint (including public IP).

• Credential Theft: Extracts and exfiltrates GitHub tokens, npm tokens, and other secrets.

• Exfiltration: Data is sent to attacker-controlled infrastructure via HTTP GET/POST or WebSocket.

Complete List of Affected npm Packages

The following is the full list of npm packages identified as malicious and part of the PhantomRaven campaign (as published by Koi Security):

fq-ui mocha-no-only ft-flow ul-inline jest-hoist jfrog-npm-actions-example @acme-types/acme-package react-web-api mourner unused-imports jira-ticket-todo-comment polyfill-corejs3 polyfill-regenerator @aio-commerce-sdk/config-tsdown @aio-commerce-sdk/config-typedoc @aio-commerce-sdk/config-typescript @aio-commerce-sdk/config-vitest powerbi-visuals-sunburst @gitlab-lsp/pkg-1 @gitlab-lsp/pkg-2 @gitlab-lsp/workflow-api @gitlab-test/bun-v1 @gitlab-test/npm-v10 @gitlab-test/pnpm-v9 @gitlab-test/yarn-v4 acme-package add-module-exports add-shopify-header jsx-a11y prefer-object-spread preferred-import durablefunctionsmonitor durablefunctionsmonitor-vscodeext durablefunctionsmonitor.react e-voting-libraries-ui-kit named-asset-import chai-friendly aikido-module airbnb-babel airbnb-base-hf airbnb-base-typescript-prettier airbnb-bev airbnb-calendar airbnb-opentracing-javascript airbnb-scraper airbnb-types ais-sn-components goji-js-org google-cloud-functions-framework chromestatus-openapi elemefe labelbox-custom-ui rxjs-angular @apache-felix/felix-antora-ui @apache-netbeans/netbeans-antora-ui syntax-dynamic-import no-floating-promise no-only-tests @i22-td-smarthome/component-library vuejs-accessibility lfs-ui react-async-component-lifecycle-hooks eslint-comments wdr-beam lion-based-ui lion-based-ui-labs eslint-disable-next-line eslint-github-bot eslint-plugin-cli-microsoft365 eslint-plugin-custom-eslint-rules @item-shop-data/client @msdyn365-commerce-marketplace/address-extensions @msdyn365-commerce-marketplace/tax-registration-numbers artifactregistry-login crowdstrike wm-tests-helper external-helpers react-important-stuff audio-game faltest only-warn op-cli-installer react-naming-convention skyscanner-with-prettier xo-form-components xo-login-components xo-page-components xo-shipping-change xo-shipping-options xo-title xo-tracking xo-validation badgekit-api-client important-stuff transform-es2015-modules-commonjs transform-merge-sibling-variables transform-react-constant-elements transform-react-jsx-source transform-react-remove-prop-types transform-strict-mode trezor-rollout filename-rules ing-web-es inline-react-svg ts-important-stuff firefly-sdk-js firefly-shared-js zeus-me-ops-tool zeus-mex-user-profile ts-migrate-example ts-react-important-stuff zohocrm-nodejs-sdk-3.0 iot-cardboard-js pensions-portals-fe sort-class-members sort-keys-fix sort-keys-plus flowtype-errors twilio-react twilio-ts bernie-core bernie-plugin-l10n spaintest1 typescript-compat typescript-sort-keys uach-retrofill

Note: Most packages had only a single version published, but all versions of the above packages should be considered malicious and removed.

Exploitation in the Wild

• Timeline: First observed in August 2025, ongoing as of October 2025.

• Impact: Over 86,000 downloads, with active theft of developer credentials and secrets.

• Victims: Developers and organizations using npm packages, especially those relying on automated or CI/CD-based dependency installation.

Tactics, Techniques, and Procedures (TTPs)

• MITRE ATT&CK Mapping:

• T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools)

• T1552 (Unsecured Credentials)

• T1059 (Command and Scripting Interpreter)

• T1041 (Exfiltration Over C2 Channel)

• APT Attribution: No direct attribution to a known APT group as of this report. The campaign demonstrates advanced supply chain attack techniques seen in recent APT operations.

Indicators of Compromise (IOCs)

Malicious Domains

• packages.storeartifact.com

  (primary RDD host)

• IP:

  54.173.15.59

• Exfiltration endpoint:

  jpd.php

Attacker Infrastructure

• Sequential email pattern across free email providers:

• jpdtester01@hotmail.com

• jpdtester02@outlook.com

• jpdtester03@outlook.com

• jpdtester05@outlook.com

• jpdtester06@outlook.com

• jpdtester07@hotmail.com

• jpdtester07@outlook.com

• jpdtester08@hotmail.com

• jpdtester09@outlook.com

• jpdtester10@hotmail.com

• jpdtester11@outlook.com

• jpdtester12@gmail.com

• jpdtester12@outlook.com

• jpdtester13@gmail.com

File/Script Artifacts

• preinstall

  scripts in

  package.json

  fetching remote code

• Outbound connections to attacker-controlled domains during install

Exploitation and Detection

• How It’s Being Exploited: Attackers leverage the npm ecosystem’s flexibility, using lifecycle scripts and remote dependencies to bypass static analysis and security scanners. The use of AI-generated package names (slopsquatting) increases the likelihood of accidental installation by developers.

• Detection: Monitor for unexpected

  preinstall

  /

  postinstall

  scripts, outbound connections to non-npmjs domains during package installation, and unauthorized access/use of GitHub or npm tokens.

Mitigation Strategies

• Audit Dependencies: Immediately review all npm dependencies for references to external domains or unexpected lifecycle scripts.

• Block Malicious Domains: Add

  packages.storeartifact.com

  and any other identified domains to network blocklists.

• Revoke and Rotate Credentials: If affected, revoke all GitHub and npm tokens/secrets and rotate them.

• Monitor for Suspicious Activity: Watch for unauthorized access to repositories, CI/CD pipelines, and credential use.

References

• Koi Security Blog: PhantomRaven NPM Malware Hidden in Invisible Dependencies

• BleepingComputer: PhantomRaven attack floods npm with credential-stealing packages

• MITRE ATT&CK: T1195.002, T1552, T1041, T1059

• NVD: No CVE assigned as of this report; monitor for updates

Prepared for Rescana customers. For further assistance or a full list of affected packages, contact your Rescana representative.

Executive Summary

A highly sophisticated supply chain attack, designated as PhantomRaven, has been uncovered within the npm ecosystem, representing a significant escalation in the threat landscape for software development organizations and open-source contributors. This campaign involves at least 126 malicious npm packages that have been collectively downloaded over 86,000 times. The primary objective of PhantomRaven is the exfiltration of GitHub tokens, CI/CD secrets, and other sensitive authentication credentials from developer environments. The attackers employ advanced evasion tactics, such as remote dynamic dependencies and AI-generated slopsquatting package names, to bypass conventional security controls and static analysis tools. The campaign’s scale, technical sophistication, and focus on developer supply chains underscore the urgent need for enhanced vigilance and proactive mitigation across the software development lifecycle.

Threat Actor Profile

The PhantomRaven campaign has not been attributed to any known Advanced Persistent Threat (APT) group as of this report. However, the operational sophistication, including the use of remote dynamic dependencies and lifecycle script abuse, is consistent with tactics observed in recent high-profile supply chain attacks. The threat actors demonstrate a deep understanding of the npm ecosystem, leveraging both technical and social engineering vectors. The use of AI-generated, plausible package names (slopsquatting) increases the likelihood of accidental installation by developers, while the dynamic serving of payloads from attacker-controlled infrastructure allows for rapid adaptation and evasion. The campaign’s infrastructure includes a series of attacker-registered domains and a pattern of sequential email addresses across multiple free providers, indicating a methodical and scalable approach to campaign management.

Technical Analysis of Malware/TTPs

PhantomRaven leverages a multi-stage infection chain that exploits the npm package installation process. The initial infection occurs when a developer installs a seemingly legitimate npm package. The malicious package’s manifest file references a dependency hosted on an attacker-controlled server, such as packages.storeartifact.com, rather than the official npm registry. This technique, known as Remote Dynamic Dependency (RDD), enables the attacker to serve either benign or malicious code at will, evading static analysis and traditional dependency scanning.

Upon installation, the package executes a preinstall lifecycle script, which fetches and executes a remote payload. This payload performs extensive environment reconnaissance, harvesting email addresses, CI/CD environment variables, and system fingerprints, including public IP addresses. The malware then searches for and extracts GitHub tokens, npm tokens, and other authentication secrets present in the environment. Exfiltration is conducted via HTTP POST or WebSocket connections to attacker-controlled endpoints, such as the jpd.php script on packages.storeartifact.com.

The campaign’s technical sophistication is further evidenced by its use of AI-generated package names that closely mimic popular or plausible npm modules, a technique known as slopsquatting. This increases the probability of accidental installation, particularly in environments with automated or bulk dependency management. The attacker’s infrastructure is robust, utilizing multiple domains and a series of sequential email addresses (e.g., jpdtester01@hotmail.com, jpdtester02@outlook.com, etc.) to register and manage malicious packages.

MITRE ATT&CK techniques observed in this campaign include T1195.002 (Supply Chain Compromise: Compromise Software Dependencies and Development Tools), T1552 (Unsecured Credentials), T1059 (Command and Scripting Interpreter), and T1041 (Exfiltration Over C2 Channel).

Exploitation in the Wild

The PhantomRaven campaign was first observed in August 2025 and remains active as of October 2025. The malicious packages have been downloaded over 86,000 times, indicating widespread exposure across the global developer community. Exploitation occurs primarily through the installation of compromised npm packages, either manually by developers or automatically via CI/CD pipelines and dependency management tools. The attackers’ use of remote dynamic dependencies allows them to selectively serve malicious payloads, potentially targeting specific organizations or environments. The campaign has resulted in the active theft of developer credentials, with observed exfiltration of GitHub tokens, npm tokens, and other sensitive secrets. The impact is amplified in organizations with automated build and deployment processes, where compromised credentials can lead to further lateral movement, codebase tampering, and supply chain propagation.

Victimology and Targeting

The PhantomRaven campaign targets a broad spectrum of victims, including individual developers, open-source contributors, and organizations that rely on the npm ecosystem for software development. The primary sectors affected are software development, DevOps, CI/CD environments, and any entity utilizing automated dependency installation. The campaign is global in scope, with no evidence of country-specific targeting. The use of slopsquatting and AI-generated package names increases the risk for organizations with less stringent dependency vetting processes. Victims are typically those who install npm packages without thorough scrutiny, particularly in environments where dependencies are managed automatically or in bulk. The theft of GitHub tokens and CI/CD secrets poses a significant risk of downstream compromise, including unauthorized code changes, data exfiltration, and further supply chain attacks.

Mitigation and Countermeasures

Immediate action is required to mitigate the risks posed by the PhantomRaven campaign. Organizations should conduct a comprehensive audit of all npm dependencies, scrutinizing package manifests for references to external domains and unexpected lifecycle scripts, particularly preinstall and postinstall hooks. Any package referencing packages.storeartifact.com or similar attacker-controlled domains should be considered compromised and removed. Network security teams should block outbound connections to packages.storeartifact.com and any other identified malicious domains at the firewall or proxy level.

All GitHub tokens, npm tokens, and other secrets present in potentially affected environments must be revoked and rotated without delay. Continuous monitoring for unauthorized access to repositories, CI/CD pipelines, and credential usage is essential. Security teams should implement automated detection for unexpected lifecycle scripts and outbound connections to non-npmjs domains during package installation. Developers should be educated on the risks of slopsquatting and the importance of verifying package authenticity, especially when adding new dependencies.

Organizations are strongly encouraged to leverage advanced third-party risk management (TPRM) platforms to continuously monitor and assess the security posture of their software supply chain. Proactive engagement with threat intelligence feeds and security advisories will further enhance resilience against evolving supply chain threats.

References

The following sources provide additional technical details and ongoing updates regarding the PhantomRaven campaign:

The Hacker News: PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs https://thehackernews.com/2025/10/phantomraven-malware-found-in-126-npm.html

Koi Security Blog: PhantomRaven NPM Malware Hidden in Invisible Dependencies https://www.koi.ai/blog/phantomraven-npm-malware-hidden-in-invisible-dependencies

BleepingComputer: PhantomRaven attack floods npm with credential-stealing packages https://www.bleepingcomputer.com/news/security/phantomraven-attack-floods-npm-with-credential-stealing-packages/

The Register: npm hit by PhantomRaven supply chain attack https://www.theregister.com/2025/10/30/phantomraven_npm_malware/

MITRE ATT&CK: T1195.002, T1552, T1041, T1059 https://attack.mitre.org/

DCODX Security Advisory https://www.dcodx.com/advisories/phantomraven-npm

NVD: No CVE assigned as of this report; monitor for updates https://nvd.nist.gov

About Rescana

Rescana is a leader in third-party risk management, providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate risks across their software supply chain. Our advanced TPRM solutions empower security teams to identify emerging threats, enforce best practices, and maintain resilience in the face of evolving cyber risks. For more information about how Rescana can help safeguard your organization, we are happy to answer questions at ops@rescana.com.