"Cybersecurity researchers have uncovered yet another active software supply chain attack campaign targeting the npm registry with over 100 malicious packages that can steal authentication tokens, CI/CD secrets, and GitHub credentials from developers' machines. The campaign has been codenamed PhantomRaven by Koi Security. The activity is assessed to have begun in August 2025, when the first packages were uploaded to the repository. It has since ballooned to a total of 126 npm libraries, attracting more than 86,000 installs."
"What makes the attack stand out is the attacker's pattern of hiding the malicious code in dependencies by pointing to a custom HTTP URL, causing npm to fetch them from an untrusted website (in this case, "packages.storeartifact[.]com") as opposed to npmjs[.]com each time a package is installed. "And npmjs[.]com doesn't follow those URLs," security researcher Oren Yomtov laid out in a report shared with The Hacker News. "Security scanners don't fetch them. Dependency analysis tools ignore them. To every automated security system, these packages show '0 Dependencies.'""
A large supply-chain campaign named PhantomRaven has deployed 126 malicious npm packages with over 86,000 installs that exfiltrate authentication tokens, CI/CD secrets, and GitHub credentials. The attacker hides malicious code by pointing package dependencies to a custom HTTP URL that causes npm to fetch code from an attacker-controlled host (packages.storeartifact[.]com) instead of npmjs[.]com. Security scanners and dependency analysis tools typically do not follow those external URLs, making the packages appear to have zero dependencies. The attacker-controlled URL allows tailored payloads and staged malicious updates that activate after packages gain adoption, and installation triggers a remote dynamic dependency retrieval and execution.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]