Comprehensive Threat Exposure Management Platform
Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the Report Critical Threat Research : Middle-East at WAR: The Rapidly Escalating Iranian Cyber Threat Download the ReportPhantomRaven represents an ongoing npm supply chain attack campaign that has systematically targeted JavaScript developers worldwide since August 2025, distributing over 200 malicious packages across four distinct attack waves. This sophisticated npm supply chain campaign leverages a novel technique called Remote Dynamic Dependencies (RDD) to fetch credential-stealing payloads from external attacker-controlled servers during the npm install process, completely bypassing static security scanners and code analysis tools. The PhantomRaven attack campaign specifically targets developer environments across Windows, Linux, and macOS platforms, with particular focus on CI/CD pipelines and developer workstations where valuable credentials and tokens are stored.
The PhantomRaven malware harvests critical developer credentials including CI/CD tokens from GitHub Actions, GitLab CI, Jenkins, CircleCI, and npm, along with developer email addresses extracted from .gitconfig and .npmrc files, and comprehensive system information including IP addresses, hostnames, operating system details, and Node.js versions to differentiate individual developers from corporate build environments. Stolen data is exfiltrated through redundant communication channels to attacker-controlled infrastructure, including HTTP GET requests, HTTP POST requests, and WebSocket connections as fallback mechanisms. Despite the initial wave being publicly exposed in October 2025 with 126 malicious packages accumulating over 86,000 downloads, the threat actor persisted with operations, pushing three additional waves between November 2025 and February 2026. At the time of discovery, 81 of the 88 most recent packages remained live on the npm registry, and two of three command-and-control servers remained active, representing an ongoing and immediate threat to organizations using npm dependencies.
PhantomRaven is an ongoing npm supply chain campaign that has been targeting JavaScript developers since August 2025, representing a significant evolution in software supply chain attack methodologies. First publicly exposed in October 2025, the initial attack wave included 126 malicious npm packages that collectively accumulated over 86,000 downloads before detection. Despite public disclosure and security community awareness, the threat actor demonstrated persistent operational commitment by continuing the campaign, pushing the total number of malicious packages to over 200 across four distinct waves, indicating a determined and well-resourced adversary.
The PhantomRaven campaign employs a sophisticated technique called Remote Dynamic Dependencies (RDD) that fundamentally evades traditional security analysis approaches. Instead of embedding malicious code directly within the published npm package where it could be detected through static analysis, the threat actor adds HTTP URLs in the package.json dependencies field. When a developer executes the npm install command, the npm package manager itself automatically downloads the malicious payload from attacker-controlled servers as part of the normal dependency resolution process. The published packages contain only harmless “Hello World” scripts with zero visible dependencies in their code, allowing them to slip past static analysis tools, code review processes, and security scanners entirely. The malicious payload executes automatically through a preinstall lifecycle hook with all console output suppressed and hidden, leaving victims completely unaware of the compromise occurring on their systems.
Three additional attack waves designated as Wave-2, Wave-3, and Wave-4 were uncovered by security researchers between November 2025 and February 2026, adding 88 malicious npm packages published through over 50 throwaway npm accounts to evade detection and attribution. Wave-2 specifically targeted GraphQL Codegen plugin naming conventions, Wave-3 strategically shifted to Babel plugin names, and Wave-4 focused on import and export utility packages commonly used in JavaScript development workflows. Despite changing domain infrastructure, npm publishing accounts, and package metadata across waves, the malicious payload code remained remarkably consistent with 257 out of 259 lines identical across all waves, confirming single-operator attribution.
The attack infrastructure consistently uses AWS-registered domains containing the word “artifact” in the domain name with no TLS certificates implemented, and the tarball author field consistently reads “JPD” throughout all waves, providing clear attribution and infrastructure fingerprints. At the time of discovery by security researchers, 81 of 88 packages from the most recent waves were still live and available for download on the npm registry, and two of three command-and-control servers remained active and operational, demonstrating the ongoing and immediate nature of this threat.
Once successfully installed on a compromised developer machine or CI/CD environment, the PhantomRaven malware executes comprehensive credential harvesting operations. The malware collects developer email addresses from .gitconfig files, .npmrc configuration files, and environment variables, steals CI/CD authentication tokens from GitHub Actions, GitLab CI, Jenkins, CircleCI, and npm publishing workflows, and gathers detailed system information including IP addresses, hostnames, operating system versions, and Node.js version information to differentiate individual developer machines from corporate build environments and CI/CD infrastructure.
Stolen credential data is exfiltrated using a sophisticated fallback communication chain designed to maximize exfiltration success rates even when primary channels are blocked. The malware first attempts HTTP GET requests, then falls back to HTTP POST requests if GET fails, and finally attempts WebSocket connections as a last resort. The command-and-control infrastructure runs a PHP-based application with a searchable database backend that allows the threat actor to efficiently link victim data across different compromised packages and track individual victims across multiple installations.
The PhantomRaven threat actors employ a technique called “slopsquatting,” which involves registering package names that AI coding assistants and automated development tools are statistically likely to falsely suggest as legitimate packages. This approach exploits common typosquatting patterns, missing scope prefixes in package names, and predictable naming conventions that AI models might generate, thereby increasing the probability that developers will install malicious packages based on automated suggestions rather than manual verification. Claims by some researchers that PhantomRaven might represent legitimate security research have been thoroughly dismissed by the security community, pointing to excessive data collection far beyond simple telemetry or check-in signals, complete absence of disclosure in README files or package documentation, and deliberate identity rotation across throwaway accounts designed to evade detection. PhantomRaven remains an active and ongoing threat requiring immediate defensive action from organizations using npm dependencies.
Security teams should immediately review all package.json files across development projects for dependencies specified as HTTP or HTTPS URLs instead of standard semantic version ranges. This is the primary indicator of the PhantomRaven attack technique and represents an immediate red flag requiring investigation. Automated scripts or npm registry proxies can be configured to flag such entries before they reach production environments, preventing initial compromise.
Use the npm install –ignore-scripts command-line flag to prevent automatic execution of preinstall and postinstall lifecycle hooks, which PhantomRaven relies on to trigger its malicious payload silently during the installation process. Review lifecycle scripts manually before enabling them in any project, and enforce this security practice across all CI/CD pipelines and developer workstations through policy and technical controls.
Never install npm packages based solely on AI-generated suggestions or unverified sources without manual verification. Confirm the package exists under its correct scoped namespace on the official npmjs.com registry, check publisher history and historical download counts for anomalies, and enforce the use of scoped packages using the @org/package-name format in internal projects to significantly reduce slopsquatting and typosquatting risks.
If any suspicious or unverified npm package was recently installed in your development or CI/CD environments, assume credential compromise has occurred and immediately rotate all CI/CD tokens, npm publish tokens, GitHub and GitLab credentials, and Jenkins and CircleCI secrets. Review .gitconfig files, .npmrc configuration files, and environment variables on all potentially affected machines for signs of unauthorized access or credential theft.
Deploy behavioral monitoring capabilities on developer machines and CI/CD runners to detect unexpected outbound network connections during package installation processes. Flag network traffic to unknown AWS-hosted domains, particularly those containing the word “artifact” in the domain name or lacking TLS certificates, as these patterns align with PhantomRaven’s documented infrastructure characteristics and command-and-control communication patterns.
The threat advisory includes comprehensive indicators of compromise associated with the PhantomRaven campaign, including command-and-control URLs, IPv4 addresses of attack infrastructure, malicious domains used for payload hosting, Remote Dynamic Dependency package names used in the attack, and email addresses associated with throwaway npm publishing accounts. Organizations should integrate these indicators into their security monitoring systems, network monitoring tools, and threat intelligence platforms to identify potential PhantomRaven activity within their development environments.
The PhantomRaven attack campaign employs multiple tactics and techniques mapped to the MITRE ATT&CK framework, including initial access through supply chain compromise of software dependencies and development tools and exploitation of trusted relationships, execution via malicious file user execution and JavaScript command and scripting interpreters, persistence through event-triggered execution mechanisms, defense evasion through masquerading, obfuscated files and information, and hiding artifacts, credential access by harvesting unsecured credentials in files and stealing application access tokens, discovery of system information and network configuration, automated collection of sensitive data, exfiltration over command-and-control channels and alternative protocols, and command and control using web protocols over application layer protocols with ingress tool transfer capabilities.
The threat advisory references authoritative security research from Endor Labs documenting the return of PhantomRaven operations and providing comprehensive indicators of compromise. This reference provides additional technical depth and analysis for security teams investigating PhantomRaven activity or implementing defensive measures against npm supply chain attacks.
Get through updates and upcoming events, and more directly in your inbox