Full Report
New attack waves from the 'PhantomRaven' supply-chain campaign are hitting the npm registry, with dozens of malicious packages that exfiltrate sensitive data from JavaScript developers. [...]
Analysis Summary
# Threat Actor: PhantomRaven
## Attribution & Identity
* **Actor Name:** PhantomRaven
* **Identification:** An ongoing supply-chain threat actor first identified by Koi researchers in October 2025.
* **Aliases:** None officially designated, though often associated with "slopsquatting" activities.
* **Status:** Active/Ongoing.
## Activity Summary
PhantomRaven has conducted at least four distinct waves of attacks on the npm registry between August 2025 and February 2026.
* **First Wave (Aug - Oct 2025):** 126 malicious packages identified.
* **Recent Waves (Nov 2025 - Feb 2026):** Three additional waves released 88 packages via 50 disposable accounts.
* **Current State:** As of March 2026, 81 packages remain active on the registry. The actor has increased the frequency of publication, recently hitting a tempo of four packages per day.
## Tactics, Techniques & Procedures
* **Slopsquatting:** Using package names that appear to be generated by Large Language Models (LLMs) or mimic reputable projects (e.g., Babel, GraphQL Codegen) to trick developers into installing them via copy-paste errors or AI-generated suggestions.
* **Remote Dynamic Dependencies (RDD):** An evasion technique where `package.json` specifies a dependency sourced from an external URL rather than the npm registry. This bypasses static analysis by automated security scanners.
* **Data Exfiltration:** Uses HTTP GET (primary), HTTP POST, and WebSockets (redundancy) to send stolen data to C2.
* **Operational Security:** Frequent rotation of npm accounts and email addresses; modification of PHP endpoints to maintain persistence despite infrastructure identification.
### MITRE ATT&CK Mapping
* **T1195.001:** Supply Chain Compromise: Compromise Software Dependencies and Development Tools
* **T1059.007:** Command and Scripting Interpreter: JavaScript
* **T1539:** Steal Web Session Cookie (targeting .npmrc and environment variables)
* **T1082:** System Information Discovery
* **T1041:** Exfiltration Over C2 Channel
## Targeting
* **Sectors:** Technology, Software Development, DevSecOps.
* **Geography:** Global (targeting the npm registry ecosystem).
* **Victims:** JavaScript developers, CI/CD pipelines, and engineers utilizing automated coding assistants (AI/LLMs).
## Tools & Infrastructure
* **Malware:** A consistent JavaScript-based payload (259 lines of code) designed for fingerprinting and credential theft.
* **Data Targeted:**
* CI/CD Tokens (GitHub, GitLab, Jenkins, CircleCI).
* Configuration files: `.gitconfig`, `.npmrc`.
* Environment variables.
* System info: Hostname, IP, OS, Node version.
* **Infrastructure:**
* Hosting: Amazon EC2.
* Naming Convention: Domains typically contain the keyword "artifact".
* Security: Infrastructure notably lacks TLS certificates.
* C2: hxxp[://]artifact-server[.]example (Note: Article implies patterns rather than specific static IPs).
## Implications
PhantomRaven demonstrates that "low-sophistication" attacks can remain highly effective and persistent. By leveraging the industry's shift toward AI-assisted coding and the inherent trust in package managers, the actor has successfully bypassed automated defenses for over six months. The focus on CI/CD tokens suggests a strategic objective to move laterally into broader corporate environments or conduct more significant downstream supply-chain attacks.
## Mitigations
* **Package Verification:** Manually verify the legitimacy of npm packages and publishers before installation.
* **AI Hygiene:** Avoid direct copy-pasting of code or dependency suggestions from LLMs/AI chatbots without vetting the underlying package sources.
* **Registry Monitoring:** Implement tools that can detect "Remote Dynamic Dependencies" or unusual external network requests during `npm install`.
* **Secret Management:** Use short-lived tokens for CI/CD environments and avoid storing high-privilege credentials in plaintext configuration files.
* **Egress Filtering:** Restrict build environments from making outbound requests to unvetted domains, particularly those lacking TLS.