{"id":15950,"date":"2026-03-12T11:46:00","date_gmt":"2026-03-12T11:46:00","guid":{"rendered":"https:\/\/newestek.com\/?p=15950"},"modified":"2026-03-12T11:46:00","modified_gmt":"2026-03-12T11:46:00","slug":"phantomraven-returns-to-npm-with-88-bad-packages","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15950","title":{"rendered":"PhantomRaven returns to npm with 88 bad packages"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Last year\u2019s \u201cPhantomRaven\u201d supply-chain <a href=\"https:\/\/www.csoonline.com\/article\/4082195\/malicious-packages-in-npm-evade-dependency-detection-through-invisible-url-links-report.html\" target=\"_blank\">campaign<\/a> is back, with security researchers uncovering 88 new malicious packages in what they describe as the second, third, and fourth waves of the operation.<\/p>\n<p>According to Endor Labs findings, the newly discovered packages were published between November 2025 and February 2026, with 81 of them still available on npm along with two active command and control (c2) servers.<\/p>\n<p>\u201cPhantomRaven is a software supply chain attack that uses Remote Dynamic Dependencies (RDD) to hide credential-stealing malware in non-registry dependencies that bypass standard security scanning,\u201d the researchers said in a blog <a href=\"https:\/\/www.endorlabs.com\/learn\/return-of-phantomraven\" target=\"_blank\" rel=\"noreferrer noopener\">post<\/a>. \u201cThe first wave affecting 126+ packages with over 86,000 downloads, was first described by Koi Security in October 2025.\u201d<\/p>\n<p>The evolution of the campaign was tracked by correlating the infrastructure indicators, code similarities, and attacker operational patterns, the blog noted. However, in an update to the blog, Endor Labs said the packages were alleged to be part of a legitimate research experiment, a claim it contends, citing operational irregularities.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Dependency trick hides the malware<\/h2>\n<p>RDD allows malicious code to be delivered outside the package itself. Instead of embedding the malware directly in the npm package, attackers specify an HTTP URL dependency in the package\u2019s \u201cpackage.json\u201d file.<\/p>\n<p>When a developer runs \u201cnpm install,\u201d npm automatically retrieves the dependency from the attacker-controlled server. The package hosted on npm appears harmless, often containing little more than a basic script, while the actual malicious payload is downloaded in parallel during the installation process.<\/p>\n<p>Once executed, the malware gathers a range of sensitive information from the developer\u2019s environment. This includes email addresses, system details, and credentials from CI\/CD platforms such as GitHub Actions, GitLab CI, Jenkins, and CircleCI.<\/p>\n<p>The stolen data is then transmitted to attacker-controlled servers using multiple redundant techniques, including HTTP GET, POST requests, and even WebSocket connections, ensuring exfiltration across different network environments. Because the malicious code never appears directly in the npm package itself, traditional scanning tools that focus on package contents fail to flag it.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Operational patterns challenge \u201cresearch experiment\u201d claim<\/h2>\n<p>Despite the new waves, PhantomRaven\u2019s core functionality has remained largely unchanged, the researchers said. They found that 257 out of 259 lines of the malware payload are identical across all waves, with the only significant modification being the command-and-control domain used to receive stolen data.<\/p>\n<p>Instead, the attacker focused on operational changes designed to stay ahead of takedowns. These include rotating npm accounts, modifying package descriptions and metadata, and registering new domains with similar naming patterns such as \u201cstoreartifact,\u201d \u201cjpartifacts,\u201d and \u201cartifactsnpm.\u201d<\/p>\n<p>Additionally, the campaign employed <a href=\"https:\/\/www.csoonline.com\/article\/3961304\/ai-hallucinations-lead-to-new-cyber-threat-slopsquatting.html\">Slopsquatting<\/a> to publish packages mimicking Babel plugins, GraphQL tooling, ESLint presets, and other widely used development utilities.<\/p>\n<p>Endor Labs\u2019 blog post was later updated to reflect claims that the packages were part of a legitimate research experiment intended to study malicious package detection. \u201cAllegedly, the packages have been produced by a security researcher known in the community,\u201d the update read. \u201cHowever, several characteristics strongly support classifying these packages as malware rather than legitimate research artifacts.\u201d <\/p>\n<p>Endor Labs\u2019 contention with the claim included the presence of active command-and-control servers, credential harvesting routines targeting developer environments, and active data exfiltration mechanisms. \u201cIn addition, the packages provide no indication whatsoever that they are part of a research experiment \u2014 neither in a README nor through console messages or package metadata \u2014 leaving affected users without any transparency,\u201d the researchers said.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Last year\u2019s \u201cPhantomRaven\u201d supply-chain campaign is back, with security researchers uncovering 88 new malicious packages in what they describe as the second, third, and fourth waves of the operation. According to Endor Labs findings, the newly discovered packages were published between November 2025 and February 2026, with 81 of them still available on npm along with two active command and control (c2) servers. \u201cPhantomRaven is&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=15950\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15950","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15950"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15950\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}