npm Supply-Chain Attacks Steal Developer Tokens and Enable Cloud Compromise
Threat actors are using malicious npm packages to steal developer credentials and CI/CD secrets, enabling rapid escalation into cloud environments. Google reported that UNC6426 leveraged keys stolen during the earlier compromise of the nx npm ecosystem to pivot from a stolen developer GitHub token into AWS administrative access within 72 hours, abusing GitHub-to-AWS OpenID Connect (OIDC) trust to create a new admin role. The actor then used that access to exfiltrate data from AWS S3 and conduct destructive actions in production cloud environments; the initial nx compromise involved a GitHub Actions pull_request_target workflow abuse (“Pwn Request”) that enabled publishing trojanized packages containing a postinstall chain that executed the QUIETVAULT JavaScript credential stealer and uploaded stolen data to a public GitHub repo (/s1ngularity-repository-1).
Separately, researchers reported new waves of the PhantomRaven npm supply-chain campaign distributing 88 additional malicious packages (via ~50 disposable accounts) that target JavaScript developers by exfiltrating secrets from files like .gitconfig and .npmrc, environment variables, and CI/CD tokens (e.g., GitHub/GitLab/Jenkins/CircleCI). The campaign uses slopsquatting (LLM-suggested lookalike package names) and a stealth technique called Remote Dynamic Dependencies (RDD), where package.json pulls a dependency from an external URL so the malicious payload is fetched at install time (npm install) and can evade static package inspection; researchers indicated many of these packages remained available in the npm registry at the time of reporting.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Endor Labs documents ongoing PhantomRaven activity
By March 2026, Endor Labs reported that PhantomRaven infrastructure and payload code remained consistent across waves and that many malicious packages were still available on npm. This indicated the campaign was ongoing at the time of reporting.
UNC6426 exfiltrates data and disrupts production AWS resources
After gaining AWS administrator privileges, UNC6426 exfiltrated data from S3, terminated production EC2 and RDS resources, decrypted application keys, and exposed internal GitHub repositories by renaming and making them public. Google reported the full compromise unfolded in less than 72 hours.
UNC6426 compromises victim cloud environment in under 72 hours
Using credentials stolen from the nx package compromise, UNC6426 accessed a victim's GitHub environment, extracted more CI/CD secrets, abused GitHub-to-AWS OIDC trust, and obtained AWS STS tokens. The actor then deployed a permissive CloudFormation stack to create a new IAM role with AdministratorAccess.
Additional PhantomRaven attack waves hit npm
Endor Labs identified three more PhantomRaven waves spanning November 2025 through February 2026, expanding the campaign to dozens of malicious packages and many disposable publisher accounts. The actor used slopsquatting package names and Remote Dynamic Dependencies to fetch payloads at install time.
PhantomRaven npm campaign first reported by Koi
Koi initially reported the PhantomRaven supply-chain campaign targeting the npm registry with malicious JavaScript packages that steal developer and CI/CD credentials. The activity was identified in October 2025.
nx npm supply-chain compromise enables credential theft
In 2025, attackers compromised the nx npm package through a vulnerable pull_request_target workflow, leading to trojanized Nx-related packages that executed the QUIETVAULT credential stealer. The malware harvested tokens and other sensitive data and uploaded them to a public GitHub repository.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
PhantomRaven Campaign Uses 88 Malicious npm Packages to Steal Developer Secrets
Researchers reported a renewed **PhantomRaven** software supply chain campaign on the npm registry involving **88 malicious packages** masquerading as trusted JavaScript ecosystem projects, including packages themed around *Babel* and *GraphQL Codegen*. The packages were published across three waves from late 2025 into early 2026 and were designed to automatically fetch and run malware after installation, targeting developers and build environments rather than end users. The activity is not fluff: it is a substantive threat intelligence and malware distribution story involving active credential theft through open-source package abuse. The malware exfiltrates sensitive data from developer systems and CI/CD environments, including emails and configuration data from `.npmrc`, `.gitconfig`, and environment variables, as well as tokens for **GitHub**, **GitLab**, **CircleCI**, and **Jenkins**. Reporting indicates PhantomRaven has kept core infrastructure and payload behavior broadly consistent since earlier activity, while adapting operational details by rotating npm and email accounts, changing package metadata and PHP endpoints, and increasing the pace of malicious package publication. Most of the packages were reportedly still available for download at the time of reporting, underscoring continued exposure for organizations that rely on npm-based development workflows.
Mar 21, 2026
Malicious npm Packages Stealing Developer Credentials Across Platforms
Security researchers have uncovered multiple campaigns involving malicious npm packages designed to steal developer credentials and sensitive information from Windows, macOS, and Linux systems. In one operation, ten typosquatted packages impersonated popular libraries such as TypeScript, discord.js, ethers.js, and others, using sophisticated obfuscation, fake CAPTCHA prompts, and postinstall hooks to deploy an information stealer that harvested credentials from system keyrings, browsers, and authentication services. The malware executed in a new terminal window to evade detection and sent stolen data, including IP addresses, to external servers. Another large-scale campaign, dubbed 'PhantomRaven,' involved 126 npm packages and over 86,000 downloads, targeting authentication tokens, CI/CD secrets, and GitHub credentials. These packages leveraged remote dynamic dependencies to fetch and execute payloads during installation, profiling infected devices and exfiltrating secrets for potential supply chain attacks. The attackers employed techniques such as slopsquatting, where AI-generated package recommendations led developers to install non-existent, malicious packages. Some packages impersonated tools from GitLab and Apache, and many remained available on npm at the time of reporting. The campaigns highlight the ongoing risks in the npm ecosystem, with attackers exploiting both user trust and platform weaknesses to compromise developer environments and CI/CD pipelines. Security experts warn that the theft of tokens and credentials could enable further attacks, including the introduction of malicious code into legitimate projects and broader supply chain compromises.
Mar 21, 2026
Software Supply Chain Threats Targeting Open-Source Ecosystems and Developer Tooling
Open-source software supply chain risk continued to escalate, with reporting citing **454,600+** newly identified malicious packages across major repositories (including **PyPI, npm, Maven Central, NuGet, and Hugging Face**) and tactics ranging from **credential theft** to **multi-stage attacks** and even early **self-replicating** package malware. The activity reportedly concentrated heavily in **npm**, including high-volume “ecosystem flooding” (e.g., single accounts publishing **150,000+** malicious packages in days) and **hijacking of trusted projects**, exploiting developer reliance on superficial trust signals such as package names, READMEs, and download counts. Separately, researchers disclosed **“PackageGate”** vulnerabilities in JavaScript package managers (**npm, pnpm, vlt, and Bun**) that can bypass common post-incident defenses—namely `--ignore-scripts` and lockfile integrity—enabling malicious code execution via compromised dependencies. Koi Security reported six issues; **pnpm, vlt, and Bun** shipped fixes, while **npm** reportedly treated the behavior as expected. In parallel, threat actors abused **GitHub’s fork architecture** to distribute a spoofed *GitHub Desktop* installer promoted via search ads; execution deployed **HijackLoader** and established persistence via a **scheduled task**, underscoring that supply chain threats extend beyond package registries into developer tooling distribution channels.
Mar 21, 2026