Image by Glen Carrie on Unsplash
A sneaky malware campaign called PhantomRaven has quietly slid more than 100 malicious packages into NPM, and the scary part is—most developers never saw it coming.
If you’ve installed packages from NPM since August, there’s a small but real chance your system might be compromised. Security firm Koi just uncovered that attackers have published at least 126 malicious packages to the repository, and over 86,000 downloads have already happened.
Here’s what makes this story unnerving: the attackers didn’t use standard techniques. They used an obscure and under-monitored feature of NPM called Remote Dynamic Dependencies (RDD), and they exploited it like pros.
What Are Remote Dynamic Dependencies?
Remote Dynamic Dependencies (RDD) are a feature in NPM that allows a package to reach out to external, often untrusted, websites to download additional code during installation. Unlike traditional dependencies, which are listed up front and pulled from NPM’s own servers, these RDDs fly under the radar. No versioning, no caching, no visibility.
To developers, it looks like the package has “0 Dependencies.”
But behind the scenes, code from places like http://packages.storeartifact.com/npm/unused-imports is quietly getting pulled and executed.
Image by Florian Gagnepain on Unsplash
How PhantomRaven Hid in Plain Sight
Koi’s security team named this campaign PhantomRaven, and it’s as subtle as its name suggests. The attackers published packages using RDDs to grab malicious scripts from external servers. This allowed them to:
- Stay invisible to security scanners and tools that rely on static analysis
- Serve different or “clean” versions of package code depending on who’s downloading (security researcher on a VPN vs. corporate network)
- Delay malicious behavior and blend in by appearing benign at first
These tactics gave PhantomRaven the time and space to burrow into systems largely undetected.
What the Malware Was After
Once in, these packages weren’t just experimenting—they were actively collecting some highly sensitive data. Here’s what they targeted:
- Environment variables (which can contain secret configurations)
- Credentials for GitHub, Jenkins, and even NPM itself
- Continuous Integration/Continuous Delivery (CI/CD) configs and secrets
- Basically, anything that could enable a follow-up supply chain attack
What’s more, the data exfiltration methods were anything but casual. Think HTTP requests, JSON posts, and redundant WebSocket connections—all designed to make sure the stolen info finds its way back.
One Weird Trick: Using Fake Package Names From AI Chatbots
In a twist that sounds straight out of a sci-fi novel, some of the malicious packages used names that weren’t real—until now. The attackers grabbed these names from the “hallucinations” of AI chatbots.
Developers often ask AI tools for packages by function (example: “What’s a good NPM package for removing unused imports?”). The bots sometimes make up names that sound legit. Attackers spotted those names, hijacked them, and created real packages with those fake-but-believable names.
The result? Developers unwittingly installed malware based on completely invented recommendations.
What You Should Do Now
If you’ve used NPM packages recently—especially lesser-known ones—it’s worth taking this seriously. According to Koi, around 80 of these malicious packages were still live as of midweek.
Here’s how you can check if you’ve been affected:
- Visit the PhantomRaven malware report by Koi and review their list of suspicious packages
- Run scans on your environment for the indicators mentioned by Koi
- Pay special attention to unusual traffic or scripts pulling data from unfamiliar domains
We’ve seen supply chain attacks rise in the past few years, but PhantomRaven shows that attackers are getting bolder and smarter—especially when they can exploit overlooked corners of widely used tools like NPM.
Stay curious—but also stay cautious.
Keywords: NPM, malware, cybersecurity, Remote Dynamic Dependencies, PhantomRaven, AI chatbots
