PhantomRaven npm credential-stealing malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The PhantomRaven npm malware activity is actively stealing npm tokens, GitHub credentials, and CI/CD secrets, putting developers worldwide at immediate risk of account takeover and pipeline abuse. The operation has infected 126 npm packages and recorded 20,000 downloads, showing meaningful reach. At least 80 packages were still active when the report was published on October 29. The malware uses Remote Dynamic Dependencies (RDD) to fetch payloads at install time and abuses slopsquatting to lure developers into installing fake packages.
Related Happenings
Sapphire Sleet Mastra npm supply-chain campaign
Campaign
H score42
First: 20.06.2026 17:09
Last: 20.06.2026 17:09
Sources 1
About this happening:
The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Sapphire Sleet Mastra npm supply-chain campaign
CampaignAbout this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...
Easy-day-js Mastra package-publishing campaign
Campaign
H score30
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Easy-day-js Mastra package-publishing campaign
CampaignAbout this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...
Mastra @mastra/* npm packages hit by network compromise
Incident
H score47
First: 17.06.2026 10:38
Last: 17.06.2026 10:38
Sources 1
About this happening:
**Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Mastra @mastra/* npm packages hit by network compromise
IncidentAbout this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...
Latest development: 20.06.2026 17:09
Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.
Miasma supply-chain malware activity
Malware Activity
H score34
First: 10.06.2026 23:27
Last: 10.06.2026 23:27
Sources 1
About this happening:
The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
Miasma supply-chain malware activity
Malware ActivityAbout this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
Timeline
-
29.10.2025 16:00 2 articles · 8mo ago
Koi Security discovers PhantomRaven npm credential harvesting campaign
Initial DisclosureKoi Security uncovered PhantomRaven, an ongoing npm credential harvesting campaign affecting developers worldwide that has operated since August 2025, infected 126 npm packages, and stolen npm tokens, GitHub credentials, and CI/CD secrets. At least 80 infected packages were still active when the report was published on October 29, and the malware used Remote Dynamic Dependencies to fetch payloads at install time while package names exploited AI slopsquatting.
Show sources
- Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages — www.infosecurity-magazine.com — 29.10.2025 16:00
- Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages — www.infosecurity-magazine.com — 29.10.2025 16:00