Published 3:00 p.m. ET on October 31, 2025; last updated 5:00 p.m. ET on October 31, 2025
This week, an open source malware campaign dubbed 'PhantomRaven' has run rampant, flooding the npm registry with over a hundred malicious packages that saw more than 86,000 potential victims before discovery.
Unlike previous waves of typosquatting or credential-theft attacks, PhantomRaven introduces a new evasion tactic: remote dynamic dependencies, a mechanism that fetches malicious payloads from outside the npm registry, effectively masking the true dependency tree.
Sonatype, alongside other security research firms, has tracked this malicious campaign and continued to analyze indicators of compromise (IoCs) and tactics, techniques and procedures (TTPs) of the threat actors. Sonatype Security Research has uncovered 83 additional packages associated with this campaign, now reaching more than 200 total. These packages are brandjacking organizations like Adobe and AirBNB or pretending to be MCP servers.
Analysis of the 'petstore-integration-test' package demonstrated how the attackers evolved tactics over time in order to improve stealth and evade detection. In version 1.0.0, the threat actors used an earlier version of the PhantomRaven campaign's malware which did not contain remote dynamic dependencies. Over time, however, two additional versions of 'petstore-integration-test' were published (1.0.3 and 99.0.0) that used the more advanced evasion techniques described.
The full list of malicious packages associated with the PhantomRaven campaign is included at the bottom of this blog post.
The campaign, first detailed by researchers at Koi, appeared to begin in August 2025 and relied on dozens of seemingly benign npm packages. Each package advertised "zero dependencies," giving developers and scanners a false sense of safety. Underneath, however, they contained URL-based imports pointing to attacker-controlled servers.
This meant that there was no actual malicious code in the packages themselves. Instead, when one of these packages is installed, npm sees it requires a dependency from a remote server, and the package manager itself downloads the actual malicious package.
It's this secondary package that does what we've seen time and again:
Use a lifecycle hook to execute code
Grab environment variables with sensitive tokens in them and collect system information
Send stolen data off to a remote URL or collection
By putting the actual attack on a remote dependency hosted on an attacker controlled server, these packages avoid traditional static analysis techniques that look for the typical, known signs of attack. This also allows the attackers to deliver clean code to some users and malware to others, which can make analysis tricky.
For defenders, PhantomRaven illustrates a new attack surface: the build process itself. By leveraging install-time network calls, attackers can reach into developer machines, CI/CD runners, and container build pipelines long before runtime. Early analysis suggests the malware targeted sensitive environment variables, npm tokens, and source-control credentials.
PhantomRaven underscores a growing reality: open source security can no longer stop at version and vulnerability checks. Modern supply chain defense must account for install-time behavior and dynamic code execution, not just what's declared in package.json.
Sonatype researchers are continuing to analyze the campaign's indicators of compromise and affected infrastructure. A full list of confirmed malicious package names and hashes is being maintained in our internal threat repository and is listed below for reference.
Developers are urged to review npm dependencies that specify external URLs or contain lifecycle scripts and to monitor for outbound network requests during build. Sonatype customers can expect proactive alerts and updated blocklists as the analysis evolves – for more information, visit our Help site documentation on this campaign.
The PhantomRaven campaign expands the playbook for open source attackers – from tricking developers to manipulating the mechanics of dependency resolution itself. For defenders, the lesson is clear: even packages that look empty can carry invisible threats. Malicious open source is designed to evade typical software composition analysis (SCA) scanners – Sonatype Repository Firewall is the best defense against nascent attacks, compromises, and vulnerabilities.
Previously unreported: