Find notable cyber news and cases, enriched with sources, timelines, and signals.

PhantomRaven npm credential-stealing malware activity

Malware Activity
First reported
Last updated
Happening score
H score 37
1 unique sources, 1 articles

Summary

Hide ▲

The PhantomRaven npm malware activity is actively stealing npm tokens, GitHub credentials, and CI/CD secrets, putting developers worldwide at immediate risk of account takeover and pipeline abuse. The operation has infected 126 npm packages and recorded 20,000 downloads, showing meaningful reach. At least 80 packages were still active when the report was published on October 29. The malware uses Remote Dynamic Dependencies (RDD) to fetch payloads at install time and abuses slopsquatting to lure developers into installing fake packages.

Related Happenings

Sapphire Sleet Mastra npm supply-chain campaign

Campaign
H score42 First: 20.06.2026 17:09 Last: 20.06.2026 17:09 Sources 1

About this happening: The **Mastra AI** supply-chain campaign was attributed to **Sapphire Sleet / BlueNoroff** after **Microsoft** said the operation compromised the **npm maintainer account "ehindero...

Easy-day-js Mastra package-publishing campaign

Campaign
H score30 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: The **easy-day-js** campaign mass-published more than **140 malicious npm packages** across the **@mastra/*** namespace, creating broad supply-chain exposure for developers and bu...

Mastra @mastra/* npm packages hit by network compromise

Incident
H score47 First: 17.06.2026 10:38 Last: 17.06.2026 10:38 Sources 1

About this happening: **Mastra** @mastra/* npm packages were **compromised** in a **software supply chain attack** that spread through the namespace on **2026-06-17**. Microsoft now attributes the acti...

Latest development: 20.06.2026 17:09

Microsoft attributed the Mastra AI supply chain attack to Sapphire Sleet, also known as BlueNoroff, and said the attackers compromised the npm maintainer account ehindero, which had publishing privileges across the Mastra package environment. The June 19 update said more than 140 packages in the @mastra scope were modified to inject easy-day-js.

Miasma supply-chain malware activity

Malware Activity
H score34 First: 10.06.2026 23:27 Last: 10.06.2026 23:27 Sources 1

About this happening: The **Miasma** malware activity is enabling **supply-chain compromise** by stealing **build environment** and **cloud credentials**, then using them to poison legitimate packages...

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Timeline

  1. 29.10.2025 16:00 2 articles · 8mo ago

    Koi Security discovers PhantomRaven npm credential harvesting campaign

    Initial Disclosure

    Koi Security uncovered PhantomRaven, an ongoing npm credential harvesting campaign affecting developers worldwide that has operated since August 2025, infected 126 npm packages, and stolen npm tokens, GitHub credentials, and CI/CD secrets. At least 80 infected packages were still active when the report was published on October 29, and the malware used Remote Dynamic Dependencies to fetch payloads at install time while package names exploited AI slopsquatting.

    Show sources