The PhantomRaven campaign has launched new waves of attacks against the npm registry, distributing 88 malicious packages via 50 disposable accounts. These packages employ 'slopsquatting' and Remote Dynamic Dependencies (RDD) to evade detection and exfiltrate sensitive data from JavaScript developers, including credentials, CI/CD tokens, and system information, sending it to attacker-controlled C2 servers.
Reconnaissance
Targeting the npm Ecosystem
likely
The threat actor identifies the npm registry as a target, seeking to distribute malicious packages that can compromise developers' systems.
Defender cut points
Monitoring of npm package submissions for suspicious activity.Threat intelligence feeds identifying known malicious package patterns.
