The Return of PhantomRaven: New Waves of npm Supply Chain Attacks
 |
| Key Takeaways: |
|---|
|
Last year, something quietly crept its way through thousands of CI/CD pipelines. No alarms went off, no builds failed. It just installed itself and hid there.
The npm supply chain attack called PhantomRaven, first discovered by Koi Security in October 2025, is back. Nearly 200 malicious packages have already been discovered in the latest npm malware waves of 2026.
What is PhantomRaven?
PhantomRaven is an npm supply chain attack that aims to steal developer credentials and confidential information in CI/CD systems. It’s not that it’s technically complex, but that it’s so difficult to detect.
The main tactic used in this is Remote Dynamic Dependencies (RDD). Instead of injecting the malicious code directly into the npm package like typical malware does, attackers link the dependency section of the package.json file to an external tarball (.tgz) via an HTTP URL. So when a developer types and runs the command npm install, the malicious payload is silently downloaded from the attacker’s server and runs via a preinstall hook.
The source code of this malware will not be present in the npm registry. Therefore, it succeeds in bypassing static analysis tools or commonly used Software Bill of Materials (SBOM) tools for npm. A Software Bill of Materials (SBOM) for npm is a list of all software components and dependencies used in a project. In short, it hides out of sight, beyond the scope of most security tools. Because the registry only sees a “Hello World” placeholder while the actual malware is fetched at runtime.
New Waves: What has Changed?
| Wave | Timeline | Targeted Packages | Key Fact |
|---|---|---|---|
| 1 | Aug 2025 | General utility packages | 86,000+ downloads |
| 2 | Nov 2025 | GraphQL Codegen plugins | Started 6 days after exposure |
| 3 | Late 2025 | Babel plugins | Targeted modern JS pipelines |
| 4 | Early 2026 | Zod & import/export utilities | Used AI-style fake package names |
Attackers kept changing their infrastructure (new domains, accounts) at each stage. However, when experts examined the codes used for this, a shocking fact became clear. Even with a massive list of malicious npm packages, 257 out of 259 lines of code remained unchanged. There’s a saying that every thief will leave some evidence. The attacker tried to hide by changing the outward appearance. But they left behind the same digital signature. That helped experts to confirm that the same individual or group was responsible for every wave.
A modern face of this attack is known as Slopsquatting AI attacks. Slopsquatting is a supply chain attack technique where attackers create fake package names that resemble AI-generated or hallucinated package suggestions. In PhantomRaven, attackers used package names that developers might trust after seeing them suggested by AI coding assistants like GitHub Copilot or ChatGPT. This increases the chances of accidental installation.
Attackers named the packages in anticipation of the common hallucinations that AI coding assistants make. Developers who blindly trust artificial intelligence for packages are very likely to fall for this.
Read: Why Using Claude Alone for Testing Is Slowing You Down
What are They Stealing?
- Once PhantomRaven runs, it starts a massive data hunt focused on CI/CD secret exfiltration.
- Main targets include stealing GitHub Actions tokens, GitLab CI tokens, Jenkins, CircleCI tokens, and npm publishing credentials.
- In many companies, these tokens have direct access to production servers.
- Stealing them is not just data theft, but a loophole for future large-scale attacks.
- It also captures developers’ email addresses from
.gitconfigand.npmrcfiles. - IP addresses, OS versions, and node versions are also collected.
- This helps identify whether the system is a developer laptop or a company system.
- Captured data is transferred using multiple methods.
- It first tries an HTTP GET request, then POST, and finally WebSocket.
- This helps bypass strict company security filters and maintain a queryable database of victims.
A Note Of Caution
Later, the incident took a new turn. The person who created these packages contacted Endor Labs and claimed that this was part of security research. He said that he had collected the information to convince authorities of weaknesses in supply chain security and that this was not malicious. Following this, Endor Labs also clarified that there is no evidence that the collected confidential information was used for anything else.
But here’s a big problem: for the teams affected by this attack, this explanation does not mean much.
Because there was no information in the packages that indicated that this was an experiment or research. Not only was there no README file or warning, but the attacker also did this by changing several accounts in four stages. In addition, the attacker collected more information than would be needed for a normal experiment.
The purpose behind this is more important than whether it was research or not. This was a major security threat. The reality is that any team that installs these packages has put their important credentials in the hands of someone they don’t know.
The use of Remote Dynamic Dependencies (RDD) meant the author could change the code from a research beacon to a destructive script at any moment without a trace.
Read: Why Traditional Security Testing Fails for AI Systems
Why Should Testers Take This Seriously
- QA teams and CI/CD pipelines operate in the same area that PhantomRaven targets.
- Automated JavaScript test suites install many npm packages, like Babel transforms and GraphQL tools.
- No one checks each dependency in detail before running it. Attackers exploit this loophole.
- Bypassing static analysis tools is a big concern in QA security.
- Most companies believe that if automated checks show a package is safe, then it is safe. PhantomRaven breaks that belief.
- If malware can run silently during npm install, other dangers can also sneak in during automated tests.
- GitLab CI security vulnerabilities and GitHub Actions token theft also affect the testing infrastructure.
- If a test pipeline is hacked, it can compromise staging, pre-production, and even production environments.
Do you use any security measures against such npm attacks in your projects? Or do incidents like this prompt new precautions?
Some Precautions
- Check before installing: Verify package publishers and history. Be careful with Slopsquatting AI attacks.
- Use
npm ci: Safer thannpm installfor CI/CD. Keeps lockfiles stable. - Disable unnecessary scripts: Use
--ignore-scriptsto block unwanted preinstall/postinstall scripts. - Watch network traffic: Monitor installs for unknown or insecure domains like
jpartifacts.com. - Rotate tokens regularly: Use short-lived credentials or Open ID Connect (OIDC) whenever possible.
- Maintain Software Bill of Materials (SBOM) files: Helps detect unexpected external dependencies.
- Don’t blindly trust AI suggestions: Confirm packages are real and trusted in the official npm registry.
Read: Can You Trust an AI That Can’t Explain Its Decisions? A Guide to Explainable AI Testing
Looking Ahead
PhantomRaven is not technically advanced, but it clearly exposes the security blind spots in modern build pipelines. Today, pipelines are trusted the most but tested the least.
When tokens get stolen during normal package installation, teams often notice it only after a major incident. For QA teams running builds across multiple environments, this risk becomes even bigger.
Instead of asking, “Are we using these packages?”, the better question is, “Can we detect if we are using them?”
If CI/CD pipelines are part of your testing infrastructure, they need the same level of security checks as application code. That is where real improvement begins.
To reduce risks in test automation pipelines and adopt more reliable AI-driven testing approaches, AI-based test automation platforms like testRigor can help.
| Achieve More Than 90% Test Automation | |
| Step by Step Walkthroughs and Help | |
| 14 Day Free Trial, Cancel Anytime |
