Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

PhantomRaven

PhantomRaven is an npm supply-chain malware campaign targeting JavaScript developers through malicious npm packages. Reporting cited here attributes at least 126 malicious npm packages to the campaign, with later waves adding 88 more malicious packages between November 2025 and February 2026, including packages impersonating trusted projects such as Babel and GraphQL Codegen. The campaign was reported by Koi Security and analyzed by Endor Labs.

Its defining tradecraft is hiding malicious functionality in remote or hidden dependencies rather than in the visible package contents. The campaign abuses npm URL-based dependency fetching, described as Remote Dynamic Dependencies (RDD), so packages can appear benign or dependency-free to static analysis while npm retrieves attacker-hosted code at install time. The fetched dependency executes automatically via preinstall scripts. Researchers also reported IP-based targeting, allowing the operators to serve benign content to researchers while delivering malicious payloads to intended victims.

Documented theft includes npm tokens, GitHub credentials, GitHub tokens, GitLab tokens, developer emails from .npmrc and .gitconfig, environment-variable data, CI/CD secrets, and tokens or credentials associated with CircleCI and Jenkins. The malware also collected system details from infected systems. Multiple reports describe the campaign as stealing authentication tokens, developer secrets, and CI/CD credentials from developer machines across platforms.

The campaign began in August 2025 and remained active into at least February 2026. Koi Security reported more than 86,000 downloads across the malicious packages and traced payload hosting and exfiltration activity to packages.storeartifact.com. The operators reportedly rotated npm accounts, email accounts, package metadata, and PHP endpoints across waves while keeping infrastructure and payloads broadly consistent. Researchers also stated the campaign used AI-driven slopsquatting, registering plausible package names that could match hallucinated recommendations from tools such as GitHub Copilot and ChatGPT.

The threat actor is described as unknown in the provided content. High-confidence indicators mentioned in the content include the attacker-controlled domain packages.storeartifact.com, malicious npm packages using external URL-based dependencies, and exfiltration infrastructure and IP indicators published by Koi Security.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques
T1195Supply Chain CompromiseEvidence2

PhantomRaven: 126 Malicious npm Packages Steal Developer Tokens and Secrets Using Hidden Dependencies

T1195.001Compromise Software Dependencies and Development ToolsEvidence1

"Over 67,000 Fake npm Packages"; "typosquats... @acitons/artifact"; "malicious NuGet packages... logic bombs"; "Malicious PyPI package"; "homoglyph trick"

Execution

2 techniques
T1059Command and Scripting InterpreterEvidence1

Installation of the illicit packages... automatically downloads and executes malware...

T1204User ExecutionEvidence1

Installation of the illicit packages... automatically downloads and executes malware...

Stealth

1 technique
T1036MasqueradingEvidence1

88 malicious npm packages impersonating Babel, GraphQL Codegen, and other established projects...

Credential Access

4 techniques
T1552.001Credentials In FilesEvidence1

...exfiltrates emails from .npmrc, .gitconfig... GitHub, GitLab, CircleCI, and Jenkins CI/CD tokens...

T1552.003Shell HistoryEvidence1

...exfiltrates emails from .npmrc, .gitconfig, and environment variables...

T1555Credentials from Password StoresEvidence1

...executes malware that exfiltrates emails from .npmrc, .gitconfig, and environment variables, GitHub, GitLab, CircleCI, and Jenkins CI/CD tokens...

T1649Steal or Forge Authentication CertificatesEvidence1

PhantomRaven: 126 Malicious npm Packages Steal Developer Tokens and Secrets Using Hidden Dependencies

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

...automatically downloads and executes malware that exfiltrates emails from .npmrc, .gitconfig, and environment variables, GitHub, GitLab, CircleCI, and Jenkins CI/CD tokens, and system details...

INDICATORS OF COMPROMISE

IOCs tracked for this family

1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
1 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app8 months ago
ACTIVITY FEED

Recent activity

9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

9 SOURCESView more in app
scworldNews
Mar 12, 2026
Dozens of info-stealing npm packages spread in new PhantomRaven attack waves | brief | SC Media

Malware delivered through malicious npm packages that steals developer-sensitive data, including emails from .npmrc, .gitconfig, and environment variables, CI/CD tokens from GitHub, GitLab, CircleCI, and Jenkins, and system details.

Read more
cso onlineNews
Mar 12, 2026
PhantomRaven returns to npm with 88 bad packages | CSO Online

Malicious npm package campaign attributed to PhantomRaven, involving publication of numerous (88) malicious packages to the npm ecosystem.

Read more
securityaffairsNews
Nov 2, 2025
Security Affairs newsletter Round 548 by Pierluigi Paganini – INTERNATIONAL EDITION

Malware hidden in invisible dependencies within NPM packages.

Read more
securityaffairsNews
Nov 2, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 69

PhantomRaven is a malware distributed via npm packages, hidden in invisible dependencies to evade detection.

Read more
+5 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching1

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.