Hidden npm Malware Exposes New Supply Chain Weakness

Koi Security researchers discovered a malware campaign, dubbed PhantomRaven, that has compromised over 86,000 npm package downloads, harvesting credentials and secrets from developers worldwide. 

The researchers stated the attack hides “… the malicious code in dependencies hidden from the dependency analysis that most security tools rely on.”

AI and Automation Fuel New Supply Chain Risks

The attack underscores growing risks to the open-source ecosystem, where automated tools and AI-assisted coding are becoming standard practice. 

Developers rely on dependency scanning to validate npm packages before use, but PhantomRaven bypassed these safeguards entirely. 

By exploiting obscure npm functionality and developer trust in AI-generated package names, attackers were able to distribute malicious code undetected for months.

This campaign demonstrates that traditional dependency audits and static analysis cannot fully protect software supply chains. 

PhantomRaven’s approach allows threat actors to control what code executes on a victim’s machine during installation, even when the reviewed package appears clean.

A Clean Package with a Dirty Secret

The malicious packages appeared harmless — often simply “Hello, world!” scripts with no visible dependencies. 

The real payload resided in what Koi researchers called Remote Dynamic Dependencies (RDD). These are hidden HTTP-based references that fetched malicious code from attacker-controlled servers during installation.

When a developer ran npm install, the package manager retrieved the invisible dependency from an external URL.

Because npm and most security scanners do not follow HTTP URLs, these dependencies escaped detection.

Every installation fetched a fresh payload from the attacker’s server, enabling tailored code delivery based on the installer’s IP address or environment.

For example, attackers could deploy harmless code to security researchers while serving credential-stealing malware to corporate networks.

From Install to Data Theft

PhantomRaven’s success hinged on npm’s built-in lifecycle scripts. 

The malicious dependency contained a preinstall hook — “preinstall”: “node index.js” — that executed automatically without user consent. This meant even deeply nested dependencies could trigger execution as part of a normal installation process.

Once active, the malware systematically harvested data from the developer’s system including:

• Email addresses from .gitconfig, .npmrc, and environment variables.
• CI/CD credentials, including GitHub Actions tokens, GitLab CI keys, Jenkins, CircleCI, and npm publishing tokens.
• System fingerprinting data, such as IP addresses, hostnames, OS details, and usernames.

The exfiltrated data was redundantly transmitted via HTTP GET, HTTP POST, and WebSocket connections, ensuring delivery even under network restrictions.

The Rise of Slopsquatting Attacks

Beyond the stealthy delivery mechanism, PhantomRaven introduced a novel social-engineering tactic called slopsquatting — a twist on traditional typosquatting. 

Instead of mimicking existing package names, attackers registered plausible-sounding names that AI assistants like GitHub Copilot or ChatGPT might hallucinate on.

Examples include:

• eslint-comments instead of the legitimate eslint-plugin-eslint-comments
• unused-imports instead of eslint-plugin-unused-imports
• Transform-react-remove-prop-types instead of babel-plugin-transform-react-remove-prop-types

When AI suggested these nonexistent packages to developers, users unknowingly installed the malicious versions — demonstrating how artificial intelligence can unintentionally amplify supply-chain risks.

Lock Down Your Development Pipeline

Defending against software supply chain threats like PhantomRaven requires tightening control over dependencies, build environments, and developer practices. The following mitigations outline practical steps to reduce risk and strengthen code integrity.

• Restrict unverified dependencies: Block external URLs and audit dependencies for unauthorized links.
• Enforce reproducible builds: Lock versions and prevent dynamic fetching during installation.
• Isolate build environments: Sandbox installations and restrict outbound network access.
• Monitor behavior and network activity: Detect abnormal installs, network calls, or script execution.
• Apply least privilege: Limit CI/CD tokens, environment variables, and developer permissions.
• Promote developer vigilance: Verify package sources, remove unused dependencies, and watch for AI-suggested names.

By securing dependencies and isolating builds, organizations can close critical gaps and enhance overall cyber resilience.

The New Era of Supply Chain Threats

PhantomRaven highlights the evolution of software-supply-chain threats — from typosquatting and credential theft to dynamic, adaptive malware delivery using AI-influenced vectors. 

As generative AI becomes a routine development tool, attackers are increasingly exploiting trust in machine-suggested content.

PhantomRaven serves as a warning that static defenses are no longer enough. Continuous behavioral monitoring, dependency isolation, and AI-aware code-review processes must become standard security practices.

As threats like PhantomRaven grow more sophisticated, strengthening software supply chain security is no longer optional — it’s essential.