CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

PhantomRaven npm credential harvesting campaign leverages invisible dependencies

First reported
Last updated
3 unique sources, 5 articles

Summary

Hide ▲

An ongoing npm credential harvesting campaign dubbed PhantomRaven has been active since August 2025. The malware steals npm tokens, GitHub credentials, and CI/CD secrets from developers worldwide. New attack waves occurred between November 2025 and February 2026, distributing 88 packages via 50 disposable accounts. At least 126 npm packages have been infected, resulting in over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code in externally hosted packages, evading npm security scans. The campaign exploits AI hallucinations to create plausible-sounding package names, a technique known as slopsquatting. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub.

Timeline

  1. 29.10.2025 16:00 5 articles · 4mo ago

    PhantomRaven npm credential harvesting campaign discovered

    The campaign has been active since August 2025, infecting at least 126 npm packages with over 86,000 downloads. The attack uses Remote Dynamic Dependencies (RDD) to hide malicious code and exploits AI hallucinations to create plausible-sounding package names. The malware collects tokens for NPM, GitHub Actions, GitLab, Jenkins, and CircleCI. The campaign uses three data exfiltration methods: HTTP GET requests, HTTP POST requests, and WebSocket connections. The malware profiles the infected device to determine the target’s value and searches for email addresses in environment variables. As of October 30, 2025, the attacker-controlled URL can serve any kind of malware, initially serving harmless code before pushing a malicious version. The malware scans the developer environment for email addresses and gathers information about the CI/CD environment. The npm ecosystem allows easy publishing and low friction for packages, with lifecycle scripts executing arbitrary code at install time. As of October 29, 2025, at least 80 of the infected packages remain active. Researchers have discovered a malicious npm package named "@acitons/artifact" that typosquats the legitimate "@actions/artifact" package to target GitHub-owned repositories. The package incorporated a post-install hook to download and run malware in versions 4.0.12 to 4.0.17, and has been downloaded 47,405 times. The malware specifically targets repositories owned by the GitHub organization, indicating a targeted attack against GitHub. Another npm package named "8jfiesaf83" with similar functionality was identified but is no longer available for download, with 1,016 downloads recorded. New attack waves from the PhantomRaven campaign occurred between November 2025 and February 2026, distributing 88 packages via 50 disposable accounts. 81 of the malicious PhantomRaven packages are still available in the npm registry. The threat actor used 'slopsquatting' to mimic established projects like Babel and GraphQL Codegen. The infrastructure remains consistent across all four observed waves of the PhantomRaven campaign, with domains containing the word 'artifact' that are hosted on Amazon Elastic Compute Cloud (EC2) and lack a TLS certificate. The payload was nearly identical across all waves, with 257 of the 259 lines of code remaining unchanged. The attackers evolved operationally, rotating npm and email accounts, changing npm package metadata, and modifying PHP endpoints. The attackers published more frequently in the more recent attacks, with four packages added in a single day, on February 18.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Malicious dYdX npm and PyPI Packages Deliver Wallet Stealers and RAT Malware

Legitimate dYdX-related packages on npm and PyPI have been compromised to distribute malicious versions that steal cryptocurrency wallet credentials and execute remote access trojans (RATs). The compromised packages target JavaScript and Python ecosystems, with different payloads for each. The attack is suspected to involve developer account compromise, allowing threat actors to push malicious updates using legitimate credentials. The affected packages include @dydxprotocol/v4-client-js (npm) versions 3.4.1, 1.22.1, 1.15.2, and 1.0.31, and dydx-v4-client (PyPI) version 1.1.5post1. The malicious code targets core registry files and uses obfuscation techniques to evade detection. Users are advised to isolate affected machines, move funds to new wallets from clean systems, and rotate all API keys and credentials. This incident highlights a persistent pattern of supply chain attacks targeting dYdX-related assets.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

Open in new tab

454,000+ Malicious Open Source Packages Discovered in 2026

Researchers reported a surge in malicious open source packages, with 454,648 new malicious packages discovered in 2026. These packages are increasingly used in sustained, industrialized campaigns, often state-sponsored, targeting developer machines and CI/CD pipelines. The threat landscape includes repository abuse, potentially unwanted apps, and multi-stage attacks involving host information exfiltration, droppers, and backdoors. Additionally, AI-assisted development is exacerbating the risk by recommending non-existent versions and failing to check for malicious indicators.

Open in new tab

IndonesianFoods Worm Floods npm with Over 100,000 Fake Packages

A large-scale spam campaign, dubbed IndonesianFoods, has flooded the npm registry with over 100,000 fake packages since early 2024. The campaign uses a worm-like propagation mechanism that requires manual execution via 'node auto.js' or 'publishScript.js' to propagate. The packages reference each other as dependencies, creating a self-replicating network. The goal appears to be monetization through the Tea protocol, rather than traditional malicious activities like data theft. The campaign has been ongoing for nearly two years, highlighting a significant security blind spot in automated detection systems. The malicious script executes in an infinite loop, removing 'private': true in package.json, generating random version numbers, and publishing new spam packages to npm. A single execution can publish approximately 12 packages per minute, 720 per hour, or 17,000 per day. The attackers have inflated their 'impact scores' and claimed Tea token rewards for artificial ecosystem value, with one package README boasting about these earnings. The campaign has overwhelmed multiple security data systems, demonstrating unprecedented scale, and has triggered a massive wave of vulnerability reports.

Open in new tab

Malicious npm packages targeting Windows, macOS, and Linux systems

Ten malicious npm packages were discovered that deliver an information stealer targeting Windows, macOS, and Linux systems. The packages, uploaded to the npm registry on July 4, 2025, have collectively accumulated over 9,900 downloads. The malware uses multiple layers of obfuscation and a fake CAPTCHA to evade detection and harvests credentials from system keyrings, browsers, and authentication services. The packages are still available on npm despite being reported to npm. The attack aims to steal sensitive information, including credentials and session cookies, which can provide unauthorized access to corporate resources.

Open in new tab