Since August 2024, as part of the PhantomRaven campaign, 126 malicious packages have been uploaded to npm, which have been downloaded more than 86,000 times in total. The campaign was discovered by experts at Koi Security, who report that the attacks leveraged a little-known npm feature that enables bypassing security controls and detection.
It is emphasized that at the time the report was published, about 80 malicious packages were still active.
Experts explain that attackers are using the Remote Dynamic Dependencies (RDD) mechanism. Normally, a developer sees all the dependencies of the package being installed — they are fetched from npm’s trusted infrastructure. However, RDD allows packages to automatically pull code from external URLs, even over an unencrypted HTTP channel. At the same time, the package manifest shows zero dependencies.
When a developer runs npm install, the malicious package silently pulls a payload from an attacker-controlled server and executes it immediately. No user interaction is required, and static analysis tools don’t notice what’s happening.
“PhantomRaven shows how sophisticated attackers can be when exploiting blind spots in traditional defenses. Remote dynamic dependencies are simply invisible to static analysis,” the researchers say.
It is noted that the malware is downloaded from the server with each package installation rather than being cached. This opens the door to targeted attacks: attackers can check the requesting IP address and send harmless code to security researchers, serve malicious code to corporate networks, and deliver specialized payloads for cloud environments.
After infection, the malware meticulously collects information about the victim’s system:
- environment variables containing configurations for the developer’s internal systems;
- tokens and credentials for npm, GitHub Actions, GitLab, Jenkins, and CircleCI;
- the entire CI/CD environment through which code changes from various developers pass.
Stolen tokens can be used for supply chain attacks and to inject malicious code into legitimate projects. Data exfiltration is implemented with redundancy, using three methods at once: HTTP GET with data in the URL, HTTP POST with JSON, and via WebSocket connections.
Researchers report that many malicious packages masquerade as GitLab and Apache tools.
A separate role in this campaign is played by slopsquatting (slopsquatting), that is, the exploitation of AI hallucinations. The point is that developers often ask LLM assistants which packages are best to use for a given project. AI models often invent non-existent yet plausible-sounding names. PhantomRaven operators track such hallucinations and register packages with those names. As a result, victims end up installing the malware themselves by following LLM recommendations.
LLM developers still don’t understand the exact causes of these hallucinations and don’t know how to build models that prevent them — and attackers are taking advantage of that.
Researchers caution against relying on LLMs when choosing dependencies and urge developers to carefully verify package names and their sources, installing only packages from trusted vendors.