PhantomRaven npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
PhantomRaven is an active npm supply-chain campaign that began in August 2025 and has grown to 126 npm libraries with more than 86,000 installs. The packages hide malicious code behind a custom HTTP URL to packages.storeartifact[.]com, which lets npm fetch Remote Dynamic Dependencies (RDD) outside npmjs[.]com and bypass static scanners. The payload uses a pre-install hook to scan developer systems and exfiltrate authentication tokens, CI/CD secrets, and GitHub credentials. The campaign continues to target developers and their build environments through package names designed to look legitimate.
Related Happenings
TrapDoor cross-ecosystem supply-chain campaign
Campaign
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor cross-ecosystem supply-chain campaign
CampaignAbout this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
Campaign
First: 12.05.2026 14:29
Last: 12.05.2026 14:29
Sources 1
About this happening:
The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Shai-Hulud supply-chain campaign spreading via stolen CI/CD credentials
CampaignAbout this happening: The **Shai-Hulud** **supply-chain campaign** remains active across **npm**, **PyPI**, and **Composer**, with the latest reporting tying **TeamPCP** to both a claimed **GitHub inte...
Timeline
-
11.03.2026 19:09 2 articles · 2mo ago
PhantomRaven npm supply-chain campaign
Initial DisclosureThe campaign surfaced in **August 2025** with malicious npm packages published under names designed to look like legitimate projects. The early phase established the core package-publishing pattern that later waves reused and expanded.
Show sources
- New PhantomRaven NPM attack wave steals dev data via 88 packages — www.bleepingcomputer.com — 11.03.2026 19:09
- New PhantomRaven NPM attack wave steals dev data via 88 packages — www.bleepingcomputer.com — 11.03.2026 19:09
-
30.10.2025 12:16 1 articles · 6mo ago
PhantomRaven npm packages use remote dependencies to steal developer credentials
Technical Analysis UpdateKoi Security uncovered PhantomRaven, an active npm supply-chain campaign that hides malicious code behind a custom HTTP URL to packages.storeartifact[.]com, causing npm to fetch remote dynamic dependencies outside npmjs[.]com and bypass static scanners. The packages use pre-install hooks to execute a main payload that scans developer environments for email addresses, gathers CI/CD environment details, collects system fingerprints including the public IP address, and exfiltrates authentication tokens, CI/CD secrets, and GitHub credentials. The operation had grown to 126 npm libraries with more than 86,000 installs, and the package naming strategy was linked to slopsquatting.
Show sources
- PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs — thehackernews.com — 30.10.2025 12:16