PhantomRaven: npm Malware Infects 126 Packages and Harvests Credentials
In late October, security researchers at Koi Security identified the ‘PhantomRaven’ malware campaign that has compromised 126 npm packages, with over 86,000 downloads. The attacker injects invisible dependencies into legitimate packages, allowing it to stealthily harvest npm access tokens, GitHub credentials, and CI/CD secrets from developers worldwide. Despite its clever delivery, the infrastructure was described as “surprisingly sloppy,” enabling investigators to trace the operation to a single individual. At least 80 infected packages remained active at the time of the report. The incident underscores the importance of strict dependency verification, routine package audits, and continuous monitoring of development credentials to mitigate supply‑chain attacks.
Key Takeaways for Developers:
- Conduct thorough vetting of third‑party npm packages.
- Enable two‑factor authentication on npm and GitHub accounts.
- Use automated tools (npm audit, Snyk) to detect hidden or malicious dependencies.
- Regularly rotate and monitor tokens and secrets used in CI/CD pipelines.
Who We Work With
Empowering industries with secure, intelligent digital solutions.
We partner with a wide range of sectors — helping each one solve unique challenges with future-ready technology.
FAQ
Frequently Asked Questions.
We provide a full suite of technology solutions including software development, cybersecurity, AI, blockchain, document digitization, KYC/KYB authentication, and big data services — all tailored to your business needs.
Ready to Future-Proof Your Business?
Whether you're just starting your transformation or looking to optimize complex systems, we're here to help with secure, scalable, and intelligent technology solutions.