The PhantomRaven malware campaign began in August 2025 and has been exploiting malicious npm packages to harvest sensitive developer data. Koi analysts identified the campaign in October 2025 after monitoring suspicious activities linked to package installations. Initially, 21 malicious packages were flagged and removed, but the attackers continued to deploy 80 more packages, showcasing advanced evasion tactics that bypassed traditional security measures.
Utilizing a method known as Remote Dynamic Dependencies, PhantomRaven obfuscates its malicious payloads by using HTTP URLs as dependency specifiers instead of traditional npm registry references. This clever tactic ensures that the malicious code is not visible during package reviews, leaving developers unaware as they unknowingly execute malware upon installation. The attack is notable for its technical sophistication within the supply chain attack domain, revealing vulnerabilities in how developers trust package repositories and dependency management.
👉 Pročitaj original: Cyber Security News
