PhantomRaven npm credential-stealing malware activity
Malware Activity
Summary
Hide ▲
Show ▼
The PhantomRaven npm malware activity is actively stealing npm tokens, GitHub credentials, and CI/CD secrets, putting developers worldwide at immediate risk of account takeover and pipeline abuse. The operation has infected 126 npm packages and recorded 20,000 downloads, showing meaningful reach. At least 80 packages were still active when the report was published on October 29. The malware uses Remote Dynamic Dependencies (RDD) to fetch payloads at install time and abuses slopsquatting to lure developers into installing fake packages.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware Activity
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
Mouse5212-super-formatter postinstall GitHub exfiltration package
Malware ActivityAbout this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...
GlassWorm supply-chain malware activity
Malware Activity
First: 27.05.2026 14:48
Last: 27.05.2026 14:48
Sources 1
About this happening:
The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
GlassWorm supply-chain malware activity
Malware ActivityAbout this happening: The **GlassWorm** malware activity is now under a coordinated **C2 disruption**, reducing its ability to deliver new instructions and payloads to infected developer systems. The o...
Shai-Hulud worm clone activity on NPM
Malware Activity
First: 18.05.2026 12:45
Last: 18.05.2026 12:45
Sources 1
About this happening:
The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Shai-Hulud worm clone activity on NPM
Malware ActivityAbout this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Timeline
-
29.10.2025 16:00 2 articles · 7mo ago
Koi Security discovers PhantomRaven npm credential harvesting campaign
Initial DisclosureKoi Security uncovered PhantomRaven, an ongoing npm credential harvesting campaign affecting developers worldwide that has operated since August 2025, infected 126 npm packages, and stolen npm tokens, GitHub credentials, and CI/CD secrets. At least 80 infected packages were still active when the report was published on October 29, and the malware used Remote Dynamic Dependencies to fetch payloads at install time while package names exploited AI slopsquatting.
Show sources
- Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages — www.infosecurity-magazine.com — 29.10.2025 16:00
- Npm Malware Uses Invisible Dependencies to Infect Dozens of Packages — www.infosecurity-magazine.com — 29.10.2025 16:00