Researchers at the Israeli company Koi Security uncovered a large-scale malicious campaign called PhantomRaven in 2025, distributed through the popular npm package registry (a tool used by almost every client-side developer, including the author) and affecting tens of thousands of developers worldwide.
The campaign involved 126 npm packages that appeared entirely innocent but contained hidden components that, upon installation, sent sensitive information from developers' systems - including login credentials, tokens, personal data, and development infrastructure details.
Eight of the packages were still active at the time of disclosure, and according to the researchers, they had been distributed since August without detection by most code-security tools. The attack was identified thanks to a behavioral monitoring engine developed by the researchers, which detected unusual traffic from packages contacting external servers during installation.
"It is important not to take things for granted," the researchers explained, "and to apply critical thinking even when everything seems fine. A developer who feels something is wrong should check, even if it seems silly to them."
One of the main ways the attack hid itself was by using a lesser-known npm feature - remote dynamic dependencies. Instead of declaring known libraries as dependencies in the code, the malicious packages included references to external URLs, allowing them to fetch hostile code at install time without leaving records in the package metadata.
The malicious code was executed automatically via scripts registered in the package install files, so a developer who installed one of these packages - even indirectly - effectively executed the spyware without knowing it.
Among the data stolen were credentials for code repositories (GitHub, GitLab, Jenkins), tokens for publishing new packages, system details, IP addresses and more. The exfiltration was carried out in multiple layers - including GET, POST and WebSocket - to ensure data could be stolen even from protected environments.
Another vulnerability the attackers exploited was the use of package names that looked legitimate - a technique known as "slopsquatting." They registered names of non-existent packages that seemed plausible enough that AI tools like Copilot would recommend them to developers in good faith. As a result, some victims installed the packages following AI recommendations.
The researchers emphasized that beyond technical knowledge, developers also need responsibility and the confidence to ask, check, and halt suspicious installations. "It is better to ask a foolish question than to introduce malicious code into the entire company," they said.