Last year’s “PhantomRaven” supply-chain campaign is back, with security researchers uncovering 88 new malicious packages in what they describe as the second, third, and fourth waves of the operation.
According to Endor Labs findings, the newly discovered packages were published between November 2025 and February 2026, with 81 of them still available on npm along with two active command and control (c2) servers.
“PhantomRaven is a software supply chain attack that uses Remote Dynamic Dependencies (RDD) to hide credential-stealing malware in non-registry dependencies that bypass standard security scanning,” the researchers said in a blog post. “The first wave affecting 126+ packages with over 86,000 downloads, was first described by Koi Security in October 2025.”
The evolution of the campaign was tracked by correlating the infrastructure indicators, code similarities, and attacker operational patterns, the blog noted. However, in an update to the blog, Endor Labs said the packages were alleged to be part of a legitimate research experiment, a claim it contends, citing operational irregularities.
Dependency trick hides the malware
RDD allows malicious code to be delivered outside the package itself. Instead of embedding the malware directly in the npm package, attackers specify an HTTP URL dependency in the package’s “package.json” file.
When a developer runs “npm install,” npm automatically retrieves the dependency from the attacker-controlled server. The package hosted on npm appears harmless, often containing little more than a basic script, while the actual malicious payload is downloaded in parallel during the installation process.
Once executed, the malware gathers a range of sensitive information from the developer’s environment. This includes email addresses, system details, and credentials from CI/CD platforms such as GitHub Actions, GitLab CI, Jenkins, and CircleCI.
The stolen data is then transmitted to attacker-controlled servers using multiple redundant techniques, including HTTP GET, POST requests, and even WebSocket connections, ensuring exfiltration across different network environments. Because the malicious code never appears directly in the npm package itself, traditional scanning tools that focus on package contents fail to flag it.
Operational patterns challenge “research experiment” claim
Despite the new waves, PhantomRaven’s core functionality has remained largely unchanged, the researchers said. They found that 257 out of 259 lines of the malware payload are identical across all waves, with the only significant modification being the command-and-control domain used to receive stolen data.
Instead, the attacker focused on operational changes designed to stay ahead of takedowns. These include rotating npm accounts, modifying package descriptions and metadata, and registering new domains with similar naming patterns such as “storeartifact,” “jpartifacts,” and “artifactsnpm.”
Additionally, the campaign employed Slopsquatting to publish packages mimicking Babel plugins, GraphQL tooling, ESLint presets, and other widely used development utilities.
Endor Labs’ blog post was later updated to reflect claims that the packages were part of a legitimate research experiment intended to study malicious package detection. “Allegedly, the packages have been produced by a security researcher known in the community,” the update read. “However, several characteristics strongly support classifying these packages as malware rather than legitimate research artifacts.”
Endor Labs’ contention with the claim included the presence of active command-and-control servers, credential harvesting routines targeting developer environments, and active data exfiltration mechanisms. “In addition, the packages provide no indication whatsoever that they are part of a research experiment — neither in a README nor through console messages or package metadata — leaving affected users without any transparency,” the researchers said.