Malicious NPM Packages Contain Invisible Dependencies TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesbyRob WrightOct 29, 20254 Min ReadApplication SecurityAI-Generated Code Poses Security, Bloat ChallengesAI-Generated Code Poses Security, Bloat ChallengesbyRobert Lemos, Contributing WriterOct 29, 20256 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificRecent in World See AllThreat IntelligenceSilver Fox APT Blurs the Line Between Espionage & CybercrimeSilver Fox APT Blurs the Line Between Espionage & CybercrimebyNate Nelson, Contributing WriterAug 8, 20253 Min ReadThreat IntelligenceIran-Israel War Triggers a Maelstrom in CyberspaceIran-Israel War Triggers a Maelstrom in CyberspacebyNate Nelson, Contributing WriterJun 19, 20255 Min ReadThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsLibraryNewslettersPodcastsReportsVideosWebinarsWhite papers Partner PerspectivesSEE ALLApplication SecurityCyberattacks & Data BreachesCyber RiskCybersecurity AnalyticsNewsMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesMalicious NPM Packages Disguised With 'Invisible' DependenciesIn the "PhantomRaven" campaign, threat actors published 126 malicious npm packages that have flown under the radar, while collecting 86,000 downloads.Rob Wright, Senior News Director, Dark ReadingOctober 29, 20254 Min ReadSource: Scott Macmillan via Alamy Stock PhotoAs poisoned software continues to pop up across the industry, some threat actors have found a way to hide malicious code in npm packages and avoid detection from most security tools.In an blog post published today, Koi Security detailed how it uncovered 126 malicious packages with more 86,000 downloads that stole npm tokens, GitHub credentials, and developer secrets from organizations across the globe. The active campaign, which researchers named "PhantomRaven," uses a technique to hide malicious code in dependencies. "It's not in the package you're reviewing. It's in an invisible dependency that gets fetched at install time," wrote Koi security researcher Oren Yomtov in the blog post. "When you install a package with this kind of dependency, npm fetches it from that external URL. Not from npmjs.com. From wherever the attacker wants."PhantomRaven actors achieve this using what's called Remote Dynamic Dependencies (RDD), and it poses significant challenges for enterprise security professionals, who are already struggling to keep up with the growing number of poisoned packages and code repositories plaguing the software development space.PhantomRaven's Invisible DependenciesWith RDD, malicious npm packages appear benign because npm supports a little-used feature that allows URLs to serve as dependency specifiers. Yomtov explained that packages with such URLs appear to automated security systems as having "0 Dependencies" because scanners don't check the links.Related:AI-Generated Code Poses Security, Bloat ChallengesWhen an unsuspecting user installs what appears to be a clean npm package, it fetches the invisible RDD from PhantomRaven-controlled servers. The malicious dependency is sent along with a preinstall script that runs automatically, without any notifications or required user actions. That process takes just a few seconds.With this technique, Yomtov said, threat actors can engage in "sophisticated targeting" by checking the IP address of each individual request so that security researchers receive safe packages and corporate networks receive malicious code or specialized payloads for cloud environments. "PhantomRaven demonstrates how sophisticated attackers are getting at exploiting blind spots in traditional security tooling," Yomtov wrote. "Remote Dynamic Dependencies aren't visible to static analysis."Idan Dardikman, chief technology officer (CTO) and co-founder at Koi Security, tells Dark Reading that many of the tools used to detect malicious code in software packages use only static analysis. "The malicious payload lives on the attacker's server (packages.storeartifact.com in this case), not in the npm registry, so traditional dependency scanners that rely on registry metadata completely miss it," he says via email.Related:It Takes Only 250 Documents to Poison Any AI ModelAI 'Slopsquatting'In addition to the dangers posed by RDD and the lack of dynamic code analysis in dependency scanning tools, Yomtov highlighted another contributing factor to the PhantomRaven campaign: generative AI. The threat actors, Yomtov wrote, used an attack vector referred to as "slopsquatting," which relies on hallucinations from large language models (LLMs) to generate authentic-sounding names for fake packages. "When developers ask AI assistants like GitHub Copilot or ChatGPT for package recommendations, the models sometimes suggest plausible-sounding package names that don't actually exist," he wrote. "PhantomRaven created those non-existent packages."The slopsquatting technique creates two problems. First, the LLMs create package names that closely resemble legitimate packages but are different enough that they don't appear as typosquat attempts. Second, the hallucinated names can be suggested by AI assistants. "We've already found packages in the wild that include PhantomRaven malware as dependencies — victims who installed these packages based on AI recommendations, completely unaware they were compromising their systems," Yomtov wrote.Related:Self-Propagating GlassWorm Attacks VS Code Supply ChainDetecting and Mitigating PhantomRaven Koi Security first detected PhantomRaven this month after the company's behavioral monitoring flagged a pattern of npm packages making external network requests during installation. All the requests went to the same suspicious domain, packages.storeartifact.com, which was traced to a campaign that first began in August.According to Koi Security, PhantomRaven's first wave of malicious packages was detected and removed that month. But the threat actors uploaded more than 100 additional packages over the past two months that evaded detection.  Dardikman says npm's security team is currently in the process of reviewing and removing the malicious packages. "The removal process takes time as npm needs to verify each report and coordinate takedowns," he says. "As of publication, many packages remain active, which is why we're publishing the IOCs — so security teams can proactively check their environments while the full cleanup is underway."Koi Security listed the package names in the blog post's indicators of compromise (IOC), along with the URL and IP address used for data exfiltration. Developers should carefully review the names of the npm packages they select for installation and make sure they are fully analyzed, including all URLs and network requests made during the install process.About the AuthorRob WrightSenior News Director, Dark ReadingRob Wright is a longtime reporter and senior news director for Informa TechTarget's security team. He is based in the Boston area.See more from Rob WrightMore InsightsIndustry ReportsIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025Miercom Test Results: PA-5450 Firewall WinsSecurity Without Compromise Better security, higher performance and lower TCOThe Total Economic Impact™ Of Palo Alto Networks NextGeneration FirewallsAccess More ResearchWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedMore WebinarsYou May Also LikeEditor's ChoiceCybersecurity OperationsElectronic Warfare Puts Commercial GPS Users on NoticeElectronic Warfare Puts Commercial GPS Users on NoticebyRobert Lemos, Contributing WriterOct 21, 20254 Min ReadKeep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeNov 13, 2025During this event, we'll examine the most prolific threat actors in cybercrime and cyber espionage, and how they target and infiltrate their victims.Secure Your SeatWebinarsThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterTues, Nov 18, 2025 at 1pm ESTSecuring the Hybrid Workforce: Challenges and SolutionsTues, Nov 4, 2025 at 1pm ESTCybersecurity Outlook 2026Virtual Event | December 3rd, 2025 | 11:00am - 5:20pm ET | Doors Open at 10:30am ETThreat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesTuesday, Oct 21, 2025 at 1pm ESTMeasuring Ransomware Resilience: What Hundreds of Security Leaders RevealedThu, Oct 23, 2025 at 11am ESTMore WebinarsWhite PapersHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideThe AI Security GuideTop 10 Identity-Centric Security Risks of Autonomous AI AgentsExplore More White PapersDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of Use

The article details a sophisticated cybersecurity threat involving malicious npm (Node Package Manager) packages that leverage "invisible dependencies" to evade detection by traditional security tools. This campaign, dubbed **PhantomRaven** by Koi Security researchers, highlights how threat actors exploit the flexibility of npm’s dependency management system to conceal malicious code. The attackers published 126 such packages, which collectively amassed over 86,000 downloads before being discovered. These packages appear harmless on the surface but employ a technique known as **Remote Dynamic Dependencies (RDD)** to secretly fetch and execute malicious code during installation. This method bypasses standard security checks by relying on external URLs for dependencies rather than the official npm registry, making it difficult for automated scanners to detect the threat.

At the heart of PhantomRaven’s approach is the use of RDD, a feature within npm that allows developers to specify dependencies via URLs instead of standard package names. While this functionality is rarely used, it creates a vulnerability that threat actors have exploited. When a user installs an affected package, the npm client fetches the malicious dependency from a remote server controlled by the attackers—typically a domain like *packages.storeartifact.com*—rather than from the official npmjs.com repository. This external dependency is not flagged by static analysis tools, which only examine the registry metadata and not the dynamic content of external URLs. The malicious code is then executed automatically through a **preinstall script**, which runs without user interaction or explicit warnings. This process occurs rapidly, often within seconds, allowing the attackers to steal sensitive information such as npm tokens, GitHub credentials, and developer secrets from unsuspecting users.

A critical factor in the success of PhantomRaven is the use of **AI-generated package names** through a technique referred to as "slopsquatting." Researchers from Koi Security, including Oren Yomtov and Idan Dardikman, noted that threat actors leveraged large language models (LLMs) like GitHub Copilot or ChatGPT to generate convincing yet non-existent package names that closely resembled legitimate ones. This tactic exploits the tendency of developers to rely on AI recommendations for package selection, leading them to install malicious packages without realizing the risk. Unlike traditional typosquatting—where attackers create packages with names that are minor variations of real ones—slopsquatting produces names that are plausible enough to bypass human scrutiny but distinct enough to avoid detection as deliberate phishing attempts. Yomtov emphasized that this method creates a dual problem: the AI-generated names are both indistinguishable from genuine packages and likely to be suggested by trusted tools, increasing the likelihood of successful compromise.

The PhantomRaven campaign also demonstrates a high level of sophistication in its targeting mechanism. By analyzing the IP addresses of users who install the malicious packages, attackers can tailor their payloads to specific environments. For example, security researchers might receive clean packages, while corporate networks could be infected with malware designed for cloud infrastructure or internal systems. This level of customization underscores the threat actors’ ability to adapt their tactics based on the victim’s context, making the attack more effective and harder to trace. Koi Security researchers observed that the campaign’s first wave of malicious packages was detected and removed in August 2025, but the attackers quickly responded by uploading over 100 additional packages that evaded detection. The persistence of the campaign highlights the challenges faced by npm and other package managers in keeping pace with evolving attack vectors.

The article also underscores the limitations of current security practices for detecting such threats. Many tools used to analyze npm packages rely solely on **static analysis**, which examines the code and metadata within the registry but cannot inspect external dependencies or dynamic behavior during installation. Dardikman, Koi Security’s CTO, explained that the malicious payload in PhantomRaven resides on an attacker-controlled server rather than the npm registry, rendering traditional scanners ineffective. This gap in security coverage forces developers to adopt more proactive measures, such as manually reviewing the URLs and network requests associated with installed packages. Koi Security has provided indicators of compromise (IOCs), including the names of affected packages, their URLs, and exfiltration IP addresses, to help organizations identify and mitigate the threat. However, the researchers caution that full cleanup of the npm ecosystem will take time, as the registry must verify each reported malicious package and coordinate takedowns with third-party servers.

Beyond technical vulnerabilities, the PhantomRaven campaign raises broader concerns about the security implications of AI in software development. The use of generative AI to create convincing package names illustrates how emerging technologies can be weaponized by malicious actors. Yomtov warned that as AI tools become more integrated into development workflows, the risk of such attacks will only increase. Developers must remain vigilant and critically evaluate package recommendations from AI assistants, even if they appear legitimate. The article also serves as a reminder of the importance of education and awareness in the software supply chain, particularly for developers who may not be familiar with advanced attack techniques like RDD or slopsquatting.

The article’s authors, including Rob Wright of Dark Reading and Oren Yomtov of Koi Security, emphasize that the PhantomRaven incident is part of a larger trend of increasingly sophisticated cyber threats targeting open-source ecosystems. Open-source platforms like npm are essential to modern software development, but their reliance on decentralized repositories and community contributions creates inherent risks. The challenge lies in balancing the convenience of these platforms with robust security measures that can detect and neutralize threats without hindering innovation. While npm has taken steps to address the issue—such as improving its monitoring capabilities and collaborating with security researchers—the incident highlights the need for continuous improvement in both tooling and practices.

For developers and security professionals, the PhantomRaven campaign serves as a critical case study in the evolving landscape of software supply chain attacks. It underscores the importance of adopting multi-layered security strategies that combine static and dynamic analysis, behavioral monitoring, and manual verification. Organizations must also prioritize transparency in their dependency management processes, ensuring that all external resources are scrutinized for potential risks. Additionally, the article calls for greater collaboration between package maintainers, security firms, and the developer community to establish best practices for mitigating emerging threats. As the use of AI and automation continues to grow, so too must the defenses against the vulnerabilities they introduce.

In conclusion, the PhantomRaven campaign exemplifies how modern cyber threats are becoming more stealthy and sophisticated, exploiting both technical loopholes and human reliance on automation. By leveraging RDD and AI-generated package names, threat actors have demonstrated a new level of ingenuity in evading detection. The incident serves as a wake-up call for the software development community to re-evaluate its security protocols and adopt more proactive measures to protect against similar attacks. As the article notes, while npm is working to address the issue, the broader challenge remains one of vigilance and adaptation in an ever-changing threat landscape. Developers must remain informed about emerging risks, continuously update their tools and practices, and foster a culture of security awareness to safeguard the integrity of the open-source ecosystem.