Since August 2025, a major supply chain attack against the developer community has been active, culminating in the identification of 126 malicious npm packages that accumulated over 86,000 downloads. This coordinated operation, now known as PhantomRaven, was specifically designed to steal sensitive data, including npm authentication tokens, GitHub credentials, and crucial CI/CD pipeline secrets from developers worldwide. The campaign was notable for its use of highly advanced detection evasion techniques that successfully bypassed most conventional security measures.
Security analysts first identified the PhantomRaven campaign in October 2025. Their behavioral monitoring systems flagged unusual network activity occurring during the package installation process—a key indicator of post-download malicious action. All of the suspicious packages were observed making external network requests to the same external domain, confirming that they were part of a single, orchestrated operation. Although 21 initial packages were detected and quickly removed in August 2025, the attackers rapidly adjusted their tactics, successfully deploying an additional 80 packages between September and October that completely avoided existing detection mechanisms.
The investigation into the threat actor behind PhantomRaven revealed an interesting operational paradox. The attacker’s underlying infrastructure showed surprisingly poor operational security (OpSec), with traceable sequential email accounts and obvious usernames like npmhell. This carelessness clearly traced the technical infrastructure back to a single operator. Despite this, the technical delivery mechanism itself was highly innovative and represented a significant advancement in the sophistication of software supply chain attacks.
This technical novelty stemmed from using Remote Dynamic Dependencies. When reviewed on the npm registry, the malicious packages appeared harmless, displaying only simple “hello world” scripts with no dependencies. This deception was achieved by leveraging an obscure npm feature where HTTP URLs are used as dependency specifiers instead of traditional registry references. The actual malicious code was not present in the package visible on npmjs.com but resided in a hidden dependency that was fetched from an attacker-controlled server (packages.storeartifact.com) at the moment of installation. This technique allowed the payload to completely bypass static analysis and dependency scanning tools.
Once the invisible, malicious dependency arrives on the victim’s system, the attack is executed via npm’s automatic lifecycle script execution. The package.json file contains a preinstall script (e.g., “preinstall”: “node index[.]js”) that runs immediately and automatically, with no user prompt or warning. Crucially, this script executes even if the malicious package is merely a deeply-nested transitive dependency of a seemingly legitimate package. Upon activation, PhantomRaven systematically harvests credentials: it collects email addresses, targets CI/CD credentials (like GitHub Actions, GitLab CI, and npm publishing tokens), and performs a complete system fingerprinting to profile the victim’s environment and identify high-value corporate networks.
Reference:
