Find notable cyber news and cases, enriched with sources, timelines, and signals.

PhantomRaven npm supply-chain campaign

Campaign
First reported
Last updated
Happening score
H score 16
2 unique sources, 2 articles

Summary

Hide ▲

PhantomRaven is an active npm supply-chain campaign that began in August 2025 and has grown to 126 npm libraries with more than 86,000 installs. The packages hide malicious code behind a custom HTTP URL to packages.storeartifact[.]com, which lets npm fetch Remote Dynamic Dependencies (RDD) outside npmjs[.]com and bypass static scanners. The payload uses a pre-install hook to scan developer systems and exfiltrate authentication tokens, CI/CD secrets, and GitHub credentials. The campaign continues to target developers and their build environments through package names designed to look legitimate.

Related Happenings

GitHub API enumeration campaign targeting corporate organizations

Campaign
H score17 First: 09.07.2026 21:38 Last: 09.07.2026 21:38 Sources 1

About this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Npm v12 default-blocks install scripts, Git dependencies, and remote URLs

Security Tool/Service
H score11 First: 12.06.2026 16:00 Last: 12.06.2026 16:00 Sources 1

About this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...

GitHub npm v12 hardens install-time dependency execution and source resolution

Security Tool/Service
H score11 First: 10.06.2026 22:41 Last: 10.06.2026 22:41 Sources 1

About this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...

Hades Bun-powered JavaScript stealer on PyPI

Malware Activity
H score34 First: 09.06.2026 12:13 Last: 09.06.2026 12:13 Sources 1

About this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...

Timeline

  1. 11.03.2026 19:09 2 articles · 4mo ago

    PhantomRaven npm supply-chain campaign

    Initial Disclosure

    The campaign surfaced in **August 2025** with malicious npm packages published under names designed to look like legitimate projects. The early phase established the core package-publishing pattern that later waves reused and expanded.

    Show sources
  2. 30.10.2025 12:16 1 articles · 8mo ago

    PhantomRaven npm packages use remote dependencies to steal developer credentials

    Technical Analysis Update

    Koi Security uncovered PhantomRaven, an active npm supply-chain campaign that hides malicious code behind a custom HTTP URL to packages.storeartifact[.]com, causing npm to fetch remote dynamic dependencies outside npmjs[.]com and bypass static scanners. The packages use pre-install hooks to execute a main payload that scans developer environments for email addresses, gathers CI/CD environment details, collects system fingerprints including the public IP address, and exfiltrates authentication tokens, CI/CD secrets, and GitHub credentials. The operation had grown to 126 npm libraries with more than 86,000 installs, and the package naming strategy was linked to slopsquatting.

    Show sources