PhantomRaven Attack: New Malware Steals CI/CD Secrets via AI Slopsquatting on npm

The ongoing PhantomRaven campaign has targeted developers via the npm registry, disseminating dozens of malicious packages across the ecosystem in a short span. Embedded within these packages, malicious code harvests authentication tokens, CI/CD secrets, and GitHub credentials—enabling stealthy injection of changes into third-party projects and facilitating supply-chain attacks. Koi Security reports the operation began in August, with 126 packages published and over 86,000 cumulative downloads; a substantial portion of these artifacts remains accessible in the registry.

The perpetrators cloak their releases as legitimate projects and exploit AI assistant “hallucinations” by employing slopsquatting techniques—chat models suggesting plausible but nonexistent package names. The impostors include fakes purporting to be GitLab and Apache tools, tactics that foster unwary trust and ease infiltration of the supply chain.

A defining trait of PhantomRaven is its use of removable dynamic dependencies: manifests declare zero dependencies, yet during installation the package surreptitiously fetches its payload from external hosts and executes it automatically upon npm install. Static analysis scarcely discerns such behavior, allowing the malware to linger in the ecosystem far longer than conventional threats.

Once resident, the third-party code probes the target environment, gauges its value, and enumerates environment variables to locate email addresses that tie devices to specific owners. The gravest danger lies in harvesting tokens for NPM, GitHub Actions, GitLab, Jenkins, and CircleCI—access to these keys grants attackers the means to alter repositories, tamper with CI configurations, and produce compromised builds.

Data exfiltration employs three channels: encoded GET requests with information embedded in the URL, JSON POST submissions, and persistent WebSocket connections. This multifaceted approach eases evasion of network controls and complicates perimeter detection, particularly when malicious traffic blends with legitimate developer tooling.

Koi Security emphasizes that the removable dynamic dependencies were key to the operation’s prolonged stealth. Their report provides indicators of compromise and a comprehensive list of the malicious publications.

Developers should rigorously verify module provenance, cross-reference package names against official vendor pages, disregard unvetted suggestions from chatbots, and scrutinize search results to distinguish authentic packages from typosquatting and slopsquatting. Otherwise, a single installation may suffice to hand attackers the keys that grant influence over others’ projects.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy