Security firm Koi has uncovered a campaign called PhantomRaven that flooded the NPM registry with 126 malicious packages since August. These packages, downloaded more than 86,000 times, exploit a feature allowing unvetted dependencies from untrusted sites. As of late October 2025, about 80 of the packages remained available.
Attackers have exploited a vulnerability in the NPM package repository, uploading over 100 credential-stealing packages since August 2025, according to Koi, a security firm. The campaign, tracked as PhantomRaven, used NPM's Remote Dynamic Dependencies (RDD) feature to distribute 126 malicious packages. This mechanism lets packages automatically download and run code from untrusted domains, including unencrypted HTTP sites, bypassing typical security checks.
"PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling," wrote Oren Yomtov of Koi. "Remote Dynamic Dependencies aren’t visible to static analysis." Unlike standard dependencies, which are visible and sourced from NPM's trusted infrastructure, RDD pulls 'invisible' code that scanners often miss. The malicious packages appeared to have '0 Dependencies' but fetched harmful ones from attacker-controlled URLs, such as http://packages.storeartifact.com/npm/unused-imports.
These dependencies are downloaded fresh each installation, without caching or versioning, enabling potential targeted attacks. Attackers could tailor payloads based on IP addresses—serving benign code to researchers while delivering malware to corporate networks—or delay malicious behavior to evade detection. The stolen data includes environment variables, GitHub, Jenkins, and NPM credentials, plus details from continuous integration and delivery environments. Exfiltration occurs redundantly via HTTP requests, JSON, and Websockets.
Many package names mimic those 'hallucinated' by AI chatbots, exploiting developers' reliance on such tools for dependency suggestions. NPM representatives did not respond to inquiries about the practice. Koi advises checking their post for indicators of compromise to scan affected systems.