PhantomRaven Supply-Chain Attack Infects npm Ecosystem

Koi Security has discovered a massive supply-chain attack called PhantomRaven, which has infected the npm ecosystem with 126 malicious packages downloaded over 86,000 times. The campaign, active since August 2025, steals npm authentication tokens, GitHub credentials, and CI/CD secrets by concealing malicious code in dependencies. The attackers used Remote Dynamic Dependencies (RDD) to bypass security scanners, making the packages appear harmless. The malware executed automatically during installation, performing aggressive reconnaissance and exfiltration. Koi Security noted the use of AI-driven slopsquatting to create plausible-sounding package names, tricking developers into trusting malicious packages.

Latest mentioned: 10-31

Earliest mentioned: 10-29

Sources

securityonline.info thehackernews.com bleepingcomputer.com theregister.com infosecurity-magazine.com gbhackers.com

Also Read

Sophisticated Malware Targets WordPress E-commerce Sites

The Wordfence Threat Intelligence Team has discovered a complex malware campaign targeting WordPress e-commerce sites using the WooCommerce plugin. The malware, disguised as a rogue plugin, employs advanced encryption, fake images, and remote command access for persistent exploitation. It logs user credentials, establishes backdoors, and injects JavaScript skimmers into checkout pages to steal credit card data. The campaign is attributed to Magecart Group 12, known for their persistent credit card skimming activities.

10-31Read more →