PhantomRaven npm supply-chain campaign
Campaign
Summary
Hide ▲
Show ▼
PhantomRaven is an active npm supply-chain campaign that began in August 2025 and has grown to 126 npm libraries with more than 86,000 installs. The packages hide malicious code behind a custom HTTP URL to packages.storeartifact[.]com, which lets npm fetch Remote Dynamic Dependencies (RDD) outside npmjs[.]com and bypass static scanners. The payload uses a pre-install hook to scan developer systems and exfiltrate authentication tokens, CI/CD secrets, and GitHub credentials. The campaign continues to target developers and their build environments through package names designed to look legitimate.
Related Happenings
GitHub API enumeration campaign targeting corporate organizations
Campaign
H score17
First: 09.07.2026 21:38
Last: 09.07.2026 21:38
Sources 1
About this happening:
A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
GitHub API enumeration campaign targeting corporate organizations
CampaignAbout this happening: A **GitHub API reconnaissance campaign** is systematically mapping **corporate organizations**, repositories, and user accounts across multiple companies, expanding the risk of fo...
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/Service
H score11
First: 12.06.2026 16:00
Last: 12.06.2026 16:00
Sources 1
About this happening:
GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
Npm v12 default-blocks install scripts, Git dependencies, and remote URLs
Security Tool/ServiceAbout this happening: GitHub announced **npm v12** with **default-blocking install scripts, Git dependencies, and remote URLs**, shifting package installation to **explicit opt-in** and reducing **supp...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/Service
H score11
First: 10.06.2026 22:41
Last: 10.06.2026 22:41
Sources 1
About this happening:
**GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
GitHub npm v12 hardens install-time dependency execution and source resolution
Security Tool/ServiceAbout this happening: **GitHub** is tightening **npm v12** next month by blocking automatic dependency install scripts and non-registry sources, reducing supply-chain attack paths triggered by **npm in...
Hades Bun-powered JavaScript stealer on PyPI
Malware Activity
H score34
First: 09.06.2026 12:13
Last: 09.06.2026 12:13
Sources 1
About this happening:
A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Hades Bun-powered JavaScript stealer on PyPI
Malware ActivityAbout this happening: A new **Hades** PyPI malware wave uses a **Python startup hook** to launch a **Bun-powered JavaScript stealer**, putting developer and CI/CD credentials at risk. The payload can h...
Timeline
-
11.03.2026 19:09 2 articles · 4mo ago
PhantomRaven npm supply-chain campaign
Initial DisclosureThe campaign surfaced in **August 2025** with malicious npm packages published under names designed to look like legitimate projects. The early phase established the core package-publishing pattern that later waves reused and expanded.
Show sources
- New PhantomRaven NPM attack wave steals dev data via 88 packages — www.bleepingcomputer.com — 11.03.2026 19:09
- New PhantomRaven NPM attack wave steals dev data via 88 packages — www.bleepingcomputer.com — 11.03.2026 19:09
-
30.10.2025 12:16 1 articles · 8mo ago
PhantomRaven npm packages use remote dependencies to steal developer credentials
Technical Analysis UpdateKoi Security uncovered PhantomRaven, an active npm supply-chain campaign that hides malicious code behind a custom HTTP URL to packages.storeartifact[.]com, causing npm to fetch remote dynamic dependencies outside npmjs[.]com and bypass static scanners. The packages use pre-install hooks to execute a main payload that scans developer environments for email addresses, gathers CI/CD environment details, collects system fingerprints including the public IP address, and exfiltrates authentication tokens, CI/CD secrets, and GitHub credentials. The operation had grown to 126 npm libraries with more than 86,000 installs, and the package naming strategy was linked to slopsquatting.
Show sources
- PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs — thehackernews.com — 30.10.2025 12:16