PhantomRaven exploits npm packages to steal GitHub tokens and CI/CD secrets, Koi Security says.
The campaign began in August 2025 and has been linked to 126 malicious npm packages that use remote dynamic dependencies to deliver payloads, according to Koi Security. Koi Security report.
The attack works by publishing small libraries whose metadata instructs npm to fetch a dependency from an attacker-controlled HTTP host rather than from the npm registry. DCODX flagged several of the packages and published indicators.
It’s the off-registry fetch — known as a remote dynamic dependency (RDD) — combined with install-time lifecycle scripts (for example, preinstall) that creates the blind spot: many static scanners and dependency tools do not fetch or inspect remotely hosted payloads before they run.
The malicious payloads observed scan developer environments for email addresses and CI/CD metadata, fingerprint the system (including public IP), search for credentials such as GitHub tokens or environment variables, and exfiltrate collected data to attacker-controlled endpoints.
The packages flagged in early reporting include op-cli-installer, unused-imports, badgekit-api-client, polyfill-corejs3, and eslint-comments — a set the researchers estimated at roughly 86,000 installs combined. For context on registry manipulation and name confusion, see our primer on Understanding Package Registry Flooding.
Further, the attacker-controlled URL lets operators vary payloads dynamically: a remote resource can initially return harmless code and later serve malicious content after a package gains adoption.
Because many developers now accept AI-generated package suggestions, attackers have exploited name confusion (slopsquatting) by registering plausible, AI‑hallucinated names that appear legitimate to automated or human consumers. See related coverage on AI and supply-chain threats in AI Escalates Supply Chain Attacks, Overwhelming Traditional Defenses.
So far, the technical reporting and indicators come from Koi Security and DCODX; contemporaneous coverage is available for verification here.
Because credentials and automation secrets are common targets for follow-on attacks, organizations should treat exposed tokens as compromised and rotate them promptly. Recommended mitigations include blocking or monitoring unexpected outbound requests from CI and developer workstations, restricting token scopes, validating lockfiles, and favoring packages from verified publishers.
“PhantomRaven demonstrates how sophisticated attackers are getting better at exploiting blind spots in traditional security tooling,” Koi Security researchers wrote.