Malicious NPM Packages Disguised With 'Invisible' Dependencies

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.In the "PhantomRaven" campaign, threat actors published 126 malicious npm packages that have flown under the radar, while collecting 86,000 downloads.October 29, 2025As poisoned software continues to pop up across the industry, some threat actors have found a way to hide malicious code in npm packages and avoid detection from most security tools.In an blog post published today, Koi Security detailed how it uncovered 126 malicious packages with more 86,000 downloads that stole npm tokens, GitHub credentials, and developer secrets from organizations across the globe. The active campaign, which researchers named "PhantomRaven," uses a technique to hide malicious code in dependencies. "It's not in the package you're reviewing. It's in an invisible dependency that gets fetched at install time," wrote Koi security researcher Oren Yomtov in the blog post. "When you install a package with this kind of dependency, npm fetches it from that external URL. Not from npmjs.com. From wherever the attacker wants."PhantomRaven actors achieve this using what's called Remote Dynamic Dependencies (RDD), and it poses significant challenges for enterprise security professionals, who are already struggling to keep up with the growing number of poisoned packages and code repositories plaguing the software development space.With RDD, malicious npm packages appear benign because npm supports a little-used feature that allows URLs to serve as dependency specifiers. Yomtov explained that packages with such URLs appear to automated security systems as having "0 Dependencies" because scanners don't check the links.Related:'Ransomvibing' Infests Visual Studio Extension MarketWhen an unsuspecting user installs what appears to be a clean npm package, it fetches the invisible RDD from PhantomRaven-controlled servers. The malicious dependency is sent along with a preinstall script that runs automatically, without any notifications or required user actions. That process takes just a few seconds.With this technique, Yomtov said, threat actors can engage in "sophisticated targeting" by checking the IP address of each individual request so that security researchers receive safe packages and corporate networks receive malicious code or specialized payloads for cloud environments. "PhantomRaven demonstrates how sophisticated attackers are getting at exploiting blind spots in traditional security tooling," Yomtov wrote. "Remote Dynamic Dependencies aren't visible to static analysis."Idan Dardikman, chief technology officer (CTO) and co-founder at Koi Security, tells Dark Reading that many of the tools used to detect malicious code in software packages use only static analysis. "The malicious payload lives on the attacker's server (packages.storeartifact.com in this case), not in the npm registry, so traditional dependency scanners that rely on registry metadata completely miss it," he says via email.Related:Sora 2 Makes Videos So Believable, Reality Checks Are RequiredIn addition to the dangers posed by RDD and the lack of dynamic code analysis in dependency scanning tools, Yomtov highlighted another contributing factor to the PhantomRaven campaign: generative AI. The threat actors, Yomtov wrote, used an attack vector referred to as "slopsquatting," which relies on hallucinations from large language models (LLMs) to generate authentic-sounding names for fake packages. "When developers ask AI assistants like GitHub Copilot or ChatGPT for package recommendations, the models sometimes suggest plausible-sounding package names that don't actually exist," he wrote. "PhantomRaven created those non-existent packages."The slopsquatting technique creates two problems. First, the LLMs create package names that closely resemble legitimate packages but are different enough that they don't appear as typosquat attempts. Second, the hallucinated names can be suggested by AI assistants. "We've already found packages in the wild that include PhantomRaven malware as dependencies — victims who installed these packages based on AI recommendations, completely unaware they were compromising their systems," Yomtov wrote.Related:Multiple ChatGPT Security Bugs Allow Rampant Data TheftKoi Security first detected PhantomRaven this month after the company's behavioral monitoring flagged a pattern of npm packages making external network requests during installation. All the requests went to the same suspicious domain, packages.storeartifact.com, which was traced to a campaign that first began in August.According to Koi Security, PhantomRaven's first wave of malicious packages was detected and removed that month. But the threat actors uploaded more than 100 additional packages over the past two months that evaded detection.  Dardikman says npm's security team is currently in the process of reviewing and removing the malicious packages. "The removal process takes time as npm needs to verify each report and coordinate takedowns," he says. "As of publication, many packages remain active, which is why we're publishing the IOCs — so security teams can proactively check their environments while the full cleanup is underway."Koi Security listed the package names in the blog post's indicators of compromise (IOC), along with the URL and IP address used for data exfiltration. Developers should carefully review the names of the npm packages they select for installation and make sure they are fully analyzed, including all URLs and network requests made during the install process.Rob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends. Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area. 2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.