A large-scale campaign known as PhantomRaven has been uncovered targeting software developers through malicious npm packages designed to steal authentication tokens, CI/CD secrets, and GitHub credentials. Security researchers warn that this campaign could have serious implications for the integrity of global software supply chains.
The operation, first identified in August by Koi Security, deployed 126 malicious npm packages that collectively amassed over 86,000 downloads before detection. Many of these packages impersonated legitimate tools, including well-known development utilities from GitLab and Apache, in an attempt to appear trustworthy.
AI “Slopsquatting” Enables Malicious npm Packages
Investigators found that the attackers leveraged a new social-engineering tactic known as “slopsquatting,” which exploits the growing use of AI tools for software development. When developers ask large language models (LLMs) like ChatGPT or Copilot to suggest package names, the AI may hallucinate — creating realistic but nonexistent packages. Attackers then quickly register those fake names with malicious content.
This manipulation of AI-generated recommendations allows cybercriminals to distribute harmful code through what appears to be legitimate, developer-endorsed libraries.
“PhantomRaven demonstrates how AI hallucinations can be transformed into high-impact software supply chain threats,” said researchers at Koi Security.
Remote Dynamic Dependencies Used to Deliver Payloads
The malicious npm packages used an advanced Remote Dynamic Dependencies (RDD) mechanism to conceal and deploy payloads. Although they appeared to have no dependencies, they automatically fetched and executed malicious code from remote servers during installation, requiring no user interaction.
Once triggered, the payload profiled the victim’s system and searched environment variables for sensitive information. Stolen data included:
- npm authentication tokens
- GitHub Actions secrets
- GitLab and Jenkins credentials
- CircleCI tokens
- Developer email addresses and machine fingerprints
These credentials could enable attackers to inject malicious code into trusted projects, manipulate build pipelines, and propagate compromised software through legitimate channels — a tactic increasingly seen in software supply chain intrusions.
“The campaign’s focus on CI/CD credentials marks a dangerous escalation, potentially enabling attackers to compromise downstream projects,” warned Koi Security analysts.
Stealth and Persistence Through Runtime Execution
PhantomRaven’s reliance on remote payloads helped it evade detection for months. Since the malicious components are retrieved and executed only at runtime, static code analysis tools were unable to identify them.
Koi Security confirmed that some of the malicious packages remained online for weeks after disclosure, underscoring the difficulty of maintaining security in large open-source ecosystems like npm.
Defensive Measures for Developers
Experts recommend that developers:
- Install packages only from verified maintainers and official repositories.
- Avoid relying on AI-generated package suggestions without cross-checking authenticity.
- Use security auditing tools like npm audit and dependency scanners to flag new or suspicious packages.
- Immediately rotate access tokens and API keys if exposed.
- Monitor build pipelines and CI/CD environments for unauthorized commits or modifications.
The researchers published Indicators of Compromise (IoCs) and a list of all malicious packages associated with PhantomRaven to help organizations identify potential infections.
