Redazione RHC : 30 October 2025 15:45
Since August 2024, the PhantomRaven campaign has uploaded 126 malicious packages to npm, which have been downloaded a total of over 86,000 times . The campaign was discovered by Koi Security, which reported that the attacks were enabled by a little-known feature of npm that allows it to bypass protection and detection.
It is noted that at the time of the report’s publication , approximately 80 malicious packages were still active . Experts explain that the attackers are exploiting the Remote Dynamic Dependencies (RDD) mechanism.
Typically, a developer sees all of a package’s dependencies at installation time, downloaded from the trusted NPM infrastructure. However, RDD allows packages to automatically pull code from external URLs, even over an unencrypted HTTP channel. Meanwhile, the package manifest doesn’t show any dependencies.
When a developer runs npm install, the malicious package silently downloads a payload from an attacker-controlled server and immediately executes it . No user interaction is required, and static analysis tools remain unaware of the activity.
“PhantomRaven demonstrates how sophisticated attackers can be when exploiting the blind spots of traditional security solutions. Remote dynamic dependencies are simply invisible to static analysis,” the researchers say.
Note that the malware is downloaded from the server each time the package is installed, rather than being cached.
This opens the door to targeted attacks: attackers can control the IP address of the request and send harmless code to security researchers, deploy malicious code to corporate networks, and deploy specialized payloads for cloud environments.
Once infected, the malware carefully collects information about the victim’s system:
Stolen tokens can be used to attack supply chains and inject malicious code into legitimate projects . Data theft is organized redundantly, using three methods: HTTP GET with data in the URL, HTTP POST with JSON, and WebSocket connections.
Experts write that many malicious packages are disguised as GitLab and Apache tools.
Slopsquatting, or exploiting AI hallucinations, plays a special role in this campaign . Developers often ask LLM assistants which packages are best suited for a particular project. AI models often invent nonexistent but plausible names. PhantomRaven operators track these hallucinations and register packages with these names. Victims ultimately install the malware themselves, following LLM’s recommendations.
LLM developers don’t yet understand the exact causes of these hallucinations and aren’t able to create models to prevent them, which is precisely what attackers are exploiting. Researchers advise against relying on LLM when choosing dependencies and carefully checking package names and sources, only installing packages from trusted vendors.
Redazione