In the ever-evolving world of cybersecurity, staying ahead of malicious campaigns is crucial for developers. Recently, security firm Koi released eye-opening research on a sophisticated malware operation they've named "PhantomRaven." This campaign exploits "Remote Dynamic Dependencies" (RDDs) in NPM packages to hide and deploy malware invisibly.
PhantomRaven involves over 126 malicious NPM packages, which have racked up more than 86,000 downloads since August 2025. These packages appear harmless on the surface—often just simple scripts—but they secretly fetch malicious code from attacker-controlled servers during installation. Using RDDs, attackers specify HTTP URLs as dependencies, bypassing traditional scanners that only check the NPM registry. Once installed, the malware steals sensitive data like NPM tokens, GitHub credentials, and CI/CD secrets, while fingerprinting the victim's system for further targeting.
It's a stealthy tactic that relies on automatic execution via lifecycle scripts, making it hard to spot without real-time monitoring.
For a deep dive into Koi's findings, check out their full report here.
This kind of threat—malicious dynamic resources in NPM packages—is exactly what we explored in our recent blog post on "Dynamic Software Composition Analysis (dSCA)." Traditional Software Composition Analysis (SCA) falls short because it only scans static code, missing runtime behaviors like suspicious DNS lookups or remote downloads.
dSCA, developed by NR Labs, takes a dynamic approach: It monitors package installations in real-time, capturing network traffic to flag anomalies. In our analysis of over 3 million packages, we identified hundreds performing unexpected DNS queries, highlighting potential risks.
This method helps detect and mitigate hidden dangers that static tools overlook.
Read our dSCA post for more details on securing your NPM workflow here.
PhantomRaven underscores the need for advanced detection in open-source ecosystems. We'll be sharing more insights and tools on this topic soon—stay tuned to keep your projects safe!
