More than 86,000 downloads of malicious packages on NPM

Critical Vulnerability: The Dark Side of Code Dependencies

The modern development ecosystem, built on the use of repositories like NPM (Node Package Manager), relies on trust and efficiency. However, a recent report from the security firm Koi has sounded the alarm, revealing a massive cyberattack campaign, tracked as PhantomRaven, that has successfully compromised over 126 malicious packages. These packages have been downloaded more than 86,000 times since August, largely flying under the radar.

The key to the attack’s success lies in the exploitation of a “blind spot” in traditional security tools.

What are Remote Dynamic Dependencies (RDD)?

Attackers have leveraged an NPM practice known as Remote Dynamic Dependencies (RDD).

Normally, dependencies (code libraries required for a package to function) are visible to the developer and installed from NPM’s trusted infrastructure. RDD, conversely, allows a package to download and execute code from untrusted third-party websites, even over unencrypted HTTP connections.

The PhantomRaven attackers exploited this leniency by including code that:

1. Downloads Invisible Malicious Code: The code in the NPM packages downloads harmful dependencies from external URLs (e.g., http://packages.storeartifact.com/...).
2. Hides Itself: To the developer and many security scanners, the package appears to contain “0 Dependencies,” as the malicious code is not included in NPM’s visible dependency list. An internal NPM feature automatically installs this invisible download.

Attack Sophistication and Information Theft

This attack methodology is not only effective but extremely sophisticated, as the malicious code is downloaded “fresh” from the attacker’s server every time the package is installed.

This dynamic opens the door to targeted, long-term attacks. Attackers could, in theory:

• Serve Specific Payload: Differentiate the code sent based on IP (benign code for security researchers and malicious code for corporate networks or cloud environments).
• The Long Game: Serve clean code for weeks to build trust and pass security scans, and subsequently flip a switch to start serving the malicious version.

Once installed, the dependencies thoroughly scour the infected machine in search of sensitive information, including:

• Credentials: For GitHub, Jenkins, and NPM (potentially usable in follow-on supply-chain attacks).
• CI/CD Environment: All information regarding the automated Continuous Integration and Continuous Delivery environment.
• Environment Variables: Configurations and other data about the developer’s internal system.

Finally, the process for exfiltrating the gathered data is “redundant to the point of paranoia,” utilizing multiple methods such as HTTP requests, JSON, and Websockets.

The Artificial Intelligence Factor

An interesting detail is that many of the names of the dependencies used by PhantomRaven were previously discovered as “hallucinations” from AI chatbots. Developers often query LLMs (Large Language Models) for dependency names, and attackers are leveraging these erroneous, AI-suggested names to create their malicious packages.

If you or your team regularly download packages from NPM, it is crucial to review the indicators of compromise listed in Koi’s original publication to determine if your system has been targeted by PhantomRaven.

The original article detailing the PhantomRaven campaign can be consulted at Ars Technica: NPM flooded with malicious packages downloaded more than 86,000 times.