PhantomRaven Malware Campaign Resurfaces, Targeting npm Supply Chain with Credential Theft
A large-scale malware campaign, PhantomRaven, has resurfaced, targeting the npm software supply chain in an ongoing effort to steal developer credentials. Security researchers at Endor Labs identified 88 new malicious npm packages linked to the campaign, distributed across three waves between November 2025 and February 2026.
Despite prior disclosures, 81 of the 88 packages remained available in the npm registry at the time of analysis, with two command-and-control (C2) servers still operational. The campaign, first detected in October 2025 by Koi Security, initially compromised 126 npm packages, which collectively amassed over 86,000 downloads before detection.
PhantomRaven employs Remote Dynamic Dependencies (RDD), a technique that conceals malicious code in external dependencies fetched dynamically bypassing traditional security scans. When installed, infected packages silently load the payload, harvesting API keys, authentication tokens, environment variables, and other sensitive developer data.
The threat actors behind PhantomRaven have adapted their tactics to evade detection, including:
- Frequent rotation of C2 servers to obscure data exfiltration.
- Altered PHP endpoint names and modified npm package descriptions to appear legitimate.
- New dependency names to mask remote payloads.
- Over 50 disposable npm accounts used to publish malicious packages.
The campaign’s evolution is divided into three phases:
- Wave 2 (late 2025): Early expansion post-discovery.
- Wave 3 (late 2025): Infrastructure changes and new publisher accounts.
- Wave 4 (early 2026): Continued use of RDD with refined evasion tactics.
While operational details shifted across waves, the core malware payload remained unchanged, focusing on credential theft. Supply chain attacks like PhantomRaven exploit developer trust in open-source packages, risking exposure of build environments, cloud credentials, and internal repositories. The campaign underscores the persistent threat posed by evolving software supply chain attacks.
Source: https://gbhackers.com/phantomraven-malware/
npm, Inc. cybersecurity rating report: https://www.rankiteo.com/company/npm-inc-
"id": "NPM1773210454",
"linkid": "npm-inc-",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Developers and organizations '
'using compromised npm packages',
'industry': 'Technology/Software Development',
'location': 'Global',
'name': 'npm Registry',
'size': 'Large',
'type': 'Software Package Registry'}],
'attack_vector': 'Malicious npm Packages',
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Credentials, API keys, '
'authentication tokens, '
'environment variables'},
'date_detected': '2025-10-01',
'date_publicly_disclosed': '2026-02-01',
'description': 'A large-scale malware campaign, PhantomRaven, has resurfaced, '
'targeting the npm software supply chain in an ongoing effort '
'to steal developer credentials. Security researchers at Endor '
'Labs identified 88 new malicious npm packages linked to the '
'campaign, distributed across three waves between November '
'2025 and February 2026. The campaign employs Remote Dynamic '
'Dependencies (RDD) to conceal malicious code in external '
'dependencies, harvesting API keys, authentication tokens, '
'environment variables, and other sensitive developer data.',
'impact': {'data_compromised': 'API keys, authentication tokens, environment '
'variables, sensitive developer data',
'identity_theft_risk': 'High',
'operational_impact': 'Exposure of build environments and internal '
'systems',
'systems_affected': 'npm software supply chain, developer '
'environments, cloud credentials, internal '
'repositories'},
'initial_access_broker': {'backdoors_established': 'Remote Dynamic '
'Dependencies (RDD)',
'entry_point': 'Malicious npm packages',
'high_value_targets': 'Developer credentials, cloud '
'environments'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Supply chain attacks exploit developer trust in '
'open-source packages, requiring enhanced scrutiny of '
'dependencies and dynamic code loading.',
'motivation': 'Credential Theft',
'post_incident_analysis': {'corrective_actions': 'Enhanced monitoring of npm '
'packages, stricter '
'dependency vetting, and '
'improved detection of '
'dynamic code loading',
'root_causes': 'Exploitation of trust in '
'open-source packages, use of '
'Remote Dynamic Dependencies to '
'evade detection'},
'recommendations': 'Implement stricter vetting of npm packages, monitor for '
'Remote Dynamic Dependencies, and enhance detection of '
'credential theft attempts.',
'references': [{'source': 'Endor Labs'}, {'source': 'Koi Security'}],
'response': {'third_party_assistance': 'Endor Labs, Koi Security'},
'threat_actor': 'PhantomRaven',
'title': 'PhantomRaven Malware Campaign Resurfaces, Targeting npm Supply '
'Chain with Credential Theft',
'type': 'Supply Chain Attack',
'vulnerability_exploited': 'Remote Dynamic Dependencies (RDD)'}