A persistent software supply-chain campaign, dubbed PhantomRaven, has launched a new wave of attacks targeting the npm (Node Package Manager) registry. Security researchers have identified 88 new malicious packages designed to exfiltrate sensitive data from JavaScript developers. This latest activity, discovered by application security firm Endor Labs, represents three distinct attack waves occurring between November 2025 and February 2026, distributed via approximately 50 disposable npm accounts. The campaign, which was first uncovered in October 2025 by researchers at Koi, has been active since August of that year, having previously published 126 malicious packages. Alarmingly, Endor Labs reports that 81 of these newly identified PhantomRaven packages remain publicly available in the npm registry, posing an ongoing threat.
The attackers employ sophisticated tactics to lure developers. A primary method is "slopsquatting," where threat actors create package names that closely mimic legitimate, popular projects such as Babel and GraphQL Codegen. The names often appear nonsensical or as if they were generated by a large language model (LLM), capitalizing on developer typos or automated suggestions. More critically, PhantomRaven utilizes an advanced detection evasion technique known as Remote Dynamic Dependencies (RDD). Instead of embedding malicious code directly within the published npm package, the attacker modifies the `package.json` metadata file to specify a dependency hosted at an external URL. When an unsuspecting developer executes `npm install`, the package manager automatically fetches and installs the malicious payload from this remote location, effectively bypassing static analysis tools that scan the package contents upon upload to the registry.
The broader cybersecurity landscape continues to face multifaceted threats, as highlighted by other recent reports. Microsoft has warned that nation-state and criminal actors are now abusing artificial intelligence at every stage of the cyberattack lifecycle, from reconnaissance to sophisticated social engineering. Simultaneously, phishing campaigns are evolving to bypass traditional defenses by abusing obscure DNS records like `.arpa` and `ipv6` addresses. In other software ecosystems, a critical SQL injection flaw in the Elementor Ally WordPress plugin impacts over 250,000 sites, and CISA has mandated federal agencies to patch a remotely exploitable flaw in the n8n workflow automation tool. Social engineering remains potent, with "InstallFix" attacks pushing infostealers through fake installation guides for the popular Claude Code AI assistant.
For developers and organizations, mitigating supply-chain risks like PhantomRaven requires a proactive and layered security posture. Organizations should implement software composition analysis (SCA) tools to vet open-source dependencies and enforce policies against installing packages from unknown or unvetted sources. Developers must practice heightened vigilance: double-checking package names for typosquatting, verifying publisher authenticity, and scrutinizing `package.json` files for unusual external dependencies. On the infrastructure side, network egress filtering can help block connections to unknown external domains fetching malicious payloads. As attackers refine their techniques—leveraging AI, abusing trust in major platforms, and exploiting automation—the collective defense must evolve just as rapidly, emphasizing security-by-design and continuous monitoring across the entire software development lifecycle.
