Summary:
Endor Labs researchers have identified 88 new malicious npm packages linked to three active waves of the PhantomRaven software supply chain campaign. Utilizing Remote Dynamic Dependencies (RDD) to evade standard security scanners, this threat actor leverages benign-looking packages to silently execute credential-stealing malware during the installation process. Although the creator alleges these packages are for security research, the extensive harvesting of developer emails, CI/CD pipeline variables, and system fingerprints strongly indicates malicious intent. The campaign remains highly active with continuous infrastructure rotation, posing a significant risk to development environments and highlighting critical blind spots in conventional dependency scanning.

Security Officer Comments:
The PhantomRaven campaign leverages a technique known as Remote Dynamic Dependencies (RDD) to conceal its malicious payload. Instead of hosting the malware directly within the published npm package, the attacker specifies an HTTP URL in the package.json dependencies field. When a developer or CI/CD pipeline executes an npm install, the package manager natively fetches the second-stage payload from the attacker-controlled server. This architecture successfully bypasses standard static analysis tools that typically only scan registry-hosted code.

Once executed, the malware conducts extensive system reconnaissance and data harvesting. It extracts developer emails from environment variables, local .gitconfig files, .npmrc files, and local package.json configurations. It also targets CI/CD pipeline environment variables and gathers comprehensive system fingerprints, including resolving the public IP address via external APIs. To maintain stealth during the installation phase, the malware suppresses console output by wrapping logging functions in an if (!isPreinstall) condition, ensuring no visual indicators alert the victim.

Data exfiltration is highly resilient, utilizing a dual-method approach by sending data via both URL parameters (GET) and a JSON body (POST) with a spoofed Windows Chrome User-Agent. A WebSocket fallback mechanism is also present in the code. The malicious infrastructure is remarkably consistent across all campaign waves, relying on AWS EC2 instances running Apache on Ubuntu with plaintext HTTP communication. The attacker heavily rotates operational details, generating over 50 disposable npm accounts and registering varying Command and Control (C2) domains that incorporate the word "artifact" to mimic legitimate package servers.

Suggested Corrections:
Actionable Suggested Correctionss

• Block network traffic to the identified C2 domains and IP addresses listed in the IOC table.
• Scan all package.json files for dependencies that resolve to hardcoded HTTP or HTTPS URLs instead of standard version ranges.
• Audit development environments and CI/CD pipelines for the presence of the known malicious RDD dependency names (ui-styles-pkg, js-pkg, ts-pkg).
• Hunt for unexpected outbound HTTP requests during the npm install phase, specifically those targeting anomalous PHP endpoints like /jpd.php or /npm.php.

General Best Practices

• Implement strict egress filtering in CI/CD and build environments to prevent unauthorized network connections during package resolution.
• Adopt advanced Software Composition Analysis (SCA) tools capable of inspecting full dependency trees, including remote tarballs and dynamic dependencies.
• Enforce the principle of least privilege for build pipelines, ensuring environment variables containing sensitive secrets are only accessible to authorized and verified steps.
• Continuously monitor and alert on modifications to package manifests that introduce non-registry sources.

Network Indicators (IOCs) are available in the blog post.

Link(s):
https://www.endorlabs.com/learn/return-of-phantomraven