A new supply chain attack dubbed PhantomRaven has flooded the npm registry with malicious packages that steal credentials, tokens, and secrets during installation. The packages appear safe when first downloaded, making them particularly difficult for security apps to identify.
According to researchers at Koi, the campaign has been active since at least August 2025 and involves 126 malicious packages published by multiple accounts. At least 86,000 downloads were recorded before the campaign was exposed this week, and more than 80 of the infected packages were still live at the time of disclosure.
What sets PhantomRaven apart is its use of a new technique the researchers call Remote Dynamic Dependencies (RDD). Unlike typical npm malware, which relies on visible dependencies or post-install scripts, PhantomRaven packages initially appear empty – no dependencies, no suspicious code. But when a user installs them, the package fetches additional code from a remote server controlled by the attacker. The malicious payload is then executed locally, stealing data and exfiltrating it to the attacker’s infrastructure.
This makes the attack extremely difficult to detect using conventional methods. Security tools that rely on static analysis of package metadata or dependency graphs will see nothing out of the ordinary, because the harmful code doesn’t exist in the registry itself. Instead, it’s dynamically retrieved during installation, leaving no obvious trace in the source files.
The stolen information includes npm and GitHub tokens, cloud credentials, SSH keys, and other sensitive environment variables commonly used in development and CI/CD pipelines. Koi said that the exfiltrated data was sent to a domain controlled by the threat actor, which used randomly generated subdomains for each victim to make tracking harder.
Koi’s researchers noted that even experienced developers could be tricked because the packages use innocuous names, and some appear to have been automatically suggested by AI coding tools. The attackers also spread their uploads across multiple npm accounts, using disposable email addresses to avoid easy correlation.
The team found that the packages disguised their true function by including harmless placeholder code, such as a “Hello World” script, to appear benign in the npm registry. Only when installed would they dynamically fetch and execute the real payload, bypassing static security checks entirely.
After analyzing the infrastructure and payloads, Koi said that the attacker’s infrastructure was “surprisingly sloppy,” but that they devised a “clever” method which could be reused by others. The campaign shows how easily malicious actors can abuse trust in public registries and highlights a new blind spot in existing software supply chain defenses.
“PhantomRaven demonstrates how sophisticated attackers are getting at exploiting blind spots in traditional security tooling,” Koi researchers said. Remote Dynamic Dependencies aren’t visible to static analysis. AI hallucinations create plausible-sounding package names that developers trust. And lifecycle scripts execute automatically, without any user interaction.
“These aren’t theoretical vulnerabilities – they’re active exploitation techniques affecting thousands of developers right now.”
PhantomRaven shows that the real danger isn’t always in the code itself, but in what it secretly fetches when you hit install. ®
