Supply chain attacks on the npm ecosystem have been escalating steadily, and a campaign first identified in late 2025 has now expanded significantly into the new year.
Application security firm Endor Labs has identified three additional waves of the PhantomRaven supply-chain campaign, occurring between November 2025 and February 2026. Those waves distributed 88 malicious packages through 50 disposable accounts. The campaign was originally uncovered in October 2025 by researchers at cybersecurity company Koi, who determined it had been active since August and had already published 126 malicious packages on the npm platform.
How the Attack Reaches Developers
The method is deliberate and difficult to catch automatically. PhantomRaven relies on a technique called Remote Dynamic Dependencies (RDD), where the package.json metadata file specifies a dependency hosted at an external URL rather than embedding malicious code directly inside the package. Automated inspection tools see a clean package. The malware only arrives when a developer runs npm install, at which point the dependency is pulled from the attacker’s server and executed automatically.
To get packages installed in the first place, the threat actor used “slopsquatting” — publishing under names that mimic legitimate, widely-used projects like Babel and GraphQL Codegen, with names that appear to be the kind of suggestions generated by large-language models.
Once inside, the malware collects a specific set of data. According to the announcement, targets include emails from .gitconfig, .npmrc, and environment variables, along with CI/CD tokens from GitHub, GitLab, Jenkins, and CircleCI. The malware also fingerprints the machine, harvesting IP address, hostname, operating system, and Node version. Stolen data is then exfiltrated to a command-and-control server via HTTP GET request, with HTTP POST and WebSocket used as fallback channels.
Consistent Infrastructure, Evolving Tactics
Endor Labs noted that the underlying infrastructure stayed consistent across all four observed waves. The C2 domains contain the word “artifact,” run on Amazon Elastic Compute Cloud (EC2), and carry no TLS certificate. The payload itself was nearly identical throughout — 257 of 259 lines of code remained unchanged across waves.
More Read
Operationally, however, the threat actor adapted. The firm observed rotation of npm and email accounts, changes to package metadata, and modified PHP endpoints. Publishing frequency also increased, with four packages added in a single day on February 18.
As of the report, 81 of the 88 packages from these latest waves remain live in the npm registry.
The campaign’s persistence despite minimal technical complexity is its defining characteristic. Slight modifications to domains, endpoints, and account names have been enough to keep it running uninterrupted across multiple months.
Endor Labs recommends that developers verify the legitimacy of packages before use, rely only on reputable publishers, and avoid installing packages based on suggestions from AI chatbots or unvetted sources.
Photo by Nikita Belokhonov on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
