Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

PhantomRaven npm credential-stealing malware activity

Malware Activity
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The PhantomRaven npm malware activity is actively stealing npm tokens, GitHub credentials, and CI/CD secrets, putting developers worldwide at immediate risk of account takeover and pipeline abuse. The operation has infected 126 npm packages and recorded 20,000 downloads, showing meaningful reach. At least 80 packages were still active when the report was published on October 29. The malware uses Remote Dynamic Dependencies (RDD) to fetch payloads at install time and abuses slopsquatting to lure developers into installing fake packages.

Related Happenings

Miasma GitHub and npm supply-chain campaign

Campaign
First: 02.06.2026 00:38 Last: 02.06.2026 00:38 Sources 1

About this happening: A **Miasma** supply-chain campaign has spread through **GitHub** and **npm** abuse, compromising **309 GitHub repositories** and widening the risk of credential theft across devel...

Open Happening

Red Hat npm Namespace Hijacked in Supply Chain hit by cyberattack

Incident
First: 01.06.2026 20:40 Last: 01.06.2026 20:40 Sources 1

About this happening: **Red Hat's** official npm namespace was hijacked in a **supply chain attack** that republished **32 packages** in the **@redhat-cloud-services** scope on **June 1**; the maliciou...

Open Happening

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

Open Happening

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Latest development: 29.05.2026 11:10

mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

Open Happening

Timeline

  1. 29.10.2025 16:00 2 articles · 7mo ago

    Koi Security discovers PhantomRaven npm credential harvesting campaign

    Initial Disclosure

    Koi Security uncovered PhantomRaven, an ongoing npm credential harvesting campaign affecting developers worldwide that has operated since August 2025, infected 126 npm packages, and stolen npm tokens, GitHub credentials, and CI/CD secrets. At least 80 infected packages were still active when the report was published on October 29, and the malware used Remote Dynamic Dependencies to fetch payloads at install time while package names exploited AI slopsquatting.

    Show sources
    Open in new tab