CP
cyberpings
Malware & RansomwareHIGH

PhantomRaven Strikes Again: 88 Malicious npm Packages Found

CSCSO Online
PhantomRavennpmmalwaresupply-chain attackEndor Labs
🎯

Basically, a hacker group is back with bad software packages that steal your data.

Quick Summary

A hacker group known as PhantomRaven has returned with 88 new malicious npm packages. Developers are at risk as these packages can steal sensitive data. Experts recommend avoiding unverified sources and keeping software updated to mitigate risks.

What Happened

Imagine finding out that a hacker group is back, targeting developers through popular software tools. This is exactly what's happening with the return of the PhantomRaven supply-chain campaign, which has resurfaced with 88 new malicious packages on npm?. Security researchers from Endor Labs uncovered these packages, published between November 2025 and February 2026, with 81 still available for download. Alarmingly, two active command and control (c2) servers? are also linked to these packages.

PhantomRaven uses a clever trick called Remote Dynamic Dependencies (RDD)? to hide its malicious code. Instead of embedding the malware directly in the package, attackers link to an external URL in the package's configuration file. When developers install the package, they unknowingly download the harmful code from the attacker's server, bypassing traditional security checks. This method is particularly dangerous because it allows the malware to steal sensitive information like email addresses, system details, and credentials from popular CI/CD platforms?.

Why Should You Care

You might think this only affects software developers, but the implications are much broader. If you're a developer, your projects could be compromised, potentially leading to data breaches that affect your company or clients. Even if you’re not a developer, the software you use could be built on these compromised packages, putting your personal data at risk.

The key takeaway here is that malicious packages can sneak into your development environment without you even realizing it. Just like a Trojan horse, they appear harmless but can unleash chaos once inside. This situation highlights the importance of being vigilant about the software you install and the sources you trust.

What's Being Done

Security experts are actively monitoring the situation and have shared some immediate steps you can take:

  • Avoid using any packages from unverified sources. Stick to well-known repositories.
  • Regularly update your dependencies to ensure you have the latest security patches.
  • Use security tools that can scan for vulnerabilities, even those that might be hidden through RDD techniques.

Experts are also keeping an eye on the evolving tactics of PhantomRaven, especially as they claim their packages are part of a legitimate research experiment. However, the presence of active command-and-control servers and data exfiltration? routines strongly suggests otherwise. The cybersecurity community is on alert for any new developments or changes in the attackers' strategies.

💡 Tap dotted terms for explanations

🔒 Pro insight: The persistence of PhantomRaven's tactics suggests a well-funded operation; expect ongoing adaptations to evade detection.

Original article from

CSO Online

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

SmartApeSG Campaign Deploys Remcos RAT via ClickFix Page

A new campaign is using a fake ClickFix page to spread Remcos RAT. Individuals and organizations are at risk of remote access and data theft. Stay vigilant and protect your systems from this growing threat.

SANS ISC Full Text·
HIGHMalware & Ransomware

Ransomware Negotiator Allegedly Extorted Victims for Millions

A ransomware negotiator is accused of extorting victims for millions. DigitalMint claims ignorance of his actions. This scandal raises serious concerns about trust in cybersecurity professionals.

SC Media·
HIGHMalware & Ransomware

New VENON Malware Targets Brazilian Banking Users

A new malware called VENON is targeting Brazilian banking users. This Rust-based threat employs advanced techniques to steal sensitive information. Stay alert and protect your accounts from this evolving danger.

SC Media·
HIGHMalware & Ransomware

FBI Investigates Malware Spread Through Steam Games

The FBI is investigating malware hidden in Steam games. Gamers who installed these titles may have had their accounts compromised. If you played these games, report your experience to help the investigation.

BleepingComputer·
HIGHMalware & Ransomware

Credential Theft: Storm-2561 Spoofs VPN Clients to Steal Logins

A new cybercrime group is spoofing VPN clients to steal user credentials. Cisco and Fortinet users are particularly at risk. Stay alert and ensure you’re downloading software from official sources to protect your data.

The Register Security·
HIGHMalware & Ransomware

Ransomware Responder Allegedly Aided BlackCat Cybercriminals

A cybersecurity responder allegedly aided BlackCat hackers in negotiating higher ransoms. This shocking breach of trust has raised alarms in the industry. DigitalMint has since terminated the involved parties and is enhancing oversight.

The Record·