CyberSecurityBoard
Sponsor Register Login

PhantomRaven attack floods NPM with credential-stealing packages

The PhantomRaven threat group has launched a significant attack on the NPM ecosystem by flooding it with malicious packages designed to steal user credentials. This campaign highlights the growing risk of supply chain attacks targeting open-source software repositories, which are critical to modern software development. The attackers uploaded numerous packages that mimic legitimate ones but contain hidden malicious code to harvest sensitive information from developers and users. This incident underscores the importance of rigorous package vetting and enhanced security measures within package management systems like NPM. Developers are urged to verify package authenticity and monitor for unusual activity to mitigate the risk of credential theft and potential downstream compromises. The PhantomRaven attack serves as a stark reminder of the evolving tactics employed by cybercriminals to exploit trusted software supply chains and the need for continuous vigilance in the cybersecurity community.

This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 29 Oct 2025 16:30:13 +0000


Cyber News related to PhantomRaven attack floods NPM with credential-stealing packages

PhantomRaven Attack Involves 126 Malicious NPM Packages - The PhantomRaven cyberattack has been uncovered involving a staggering 126 malicious NPM packages, posing a significant threat to the software development community. These packages were designed to infiltrate systems by exploiting the widely used ...
2 months ago Cybersecuritynews.com PhantomRaven
PhantomRaven attack floods NPM with credential-stealing packages - The PhantomRaven threat group has launched a significant attack on the NPM ecosystem by flooding it with malicious packages designed to steal user credentials. This campaign highlights the growing risk of supply chain attacks targeting open-source ...
2 months ago Bleepingcomputer.com PhantomRaven
'everything' blocks devs from removing their own npm packages - Since these 3,000+ packages manage to include every single npm package on the npmjs.com registry as their dependency, npm package authors who have ever published to the npm registry would now be unable to remove their packages at will, because of ...
2 years ago Bleepingcomputer.com
What is Credential Harvesting? Examples & Prevention Methods - Credential harvesting is a serious threat to your organization's online security and privacy. Understanding how credential harvesting attacks work is crucial in safeguarding your personal and business data. Common Techniques Used in Credential ...
1 year ago Securityboulevard.com
Malicious PyPI packages targeting highly specific MacOS machines - As part of our software package supply chain security efforts, we continuously scan for malware in newly released PyPI and NPM packages. In this post, we describe a particularly interesting cluster of malicious packages that we've identified. In late ...
1 year ago Securitylabs.datadoghq.com
5000+ Malicious Packages Found In The Wild To Compromise Windows Systems - These packages, detected from November 2024 onward, employ sophisticated techniques to evade traditional security measures while executing harmful actions that can lead to data theft, unauthorized access, and complete system compromise. Similarly, ...
10 months ago Cybersecuritynews.com
Lazarus Hackers Weaponized 6 npm Packages To Steal Logins - The hackers successfully compromised six popular npm packages, injecting malicious code designed to harvest login credentials from thousands of developers and organizations worldwide. A sophisticated supply chain attack orchestrated by the notorious ...
10 months ago Cybersecuritynews.com Lazarus Group
npm 'accidentally' removes Stylus package, breaks builds and pipelines - Panya (the former maintainer of Stylus) used their own account to release a package containing malicious code (for security research purposes? I am unsure), but did not release a new version of Stylus containing malicious code. BleepingComputer ...
5 months ago Bleepingcomputer.com
Malicious NPM packages fetch info-stealer for Windows, Linux, macOS - A recent cybersecurity investigation has uncovered malicious NPM packages that distribute an info-stealer malware targeting Windows, Linux, and macOS platforms. These packages, hosted on the popular Node Package Manager (NPM) repository, have been ...
2 months ago Bleepingcomputer.com
3 PYPI Packages Caught Spreading Malware - Recent reports have highlighted the malicious spreading of malware via 3 specific Python Package Index (PyPI) packages. These 3 packages were identified and reported by Sonatype, a software supply chain security firm. ...
2 years ago Securityaffairs.com
Hackers breach Toptal GitHub account, publish malicious npm packages - In the days that followed, the attackers modified the source code of Picasso on GitHub to include malware and published 10 malicious packages on NPM as Toptal, making them appear as legitimate updates. According to code security ...
5 months ago Bleepingcomputer.com
Lazarus Adds New Malicious npm Packages with Hexadecimal Encoding - These packages, part of the broader Contagious Interview operation, are designed to evade automated detection systems and manual code audits, marking a significant evolution in the group’s approach to cyber espionage and financial theft. The ...
9 months ago Cybersecuritynews.com Lazarus Group
Malicious NPM, PyPI Packages Stealing User Information - Check Point and Phylum are warning of recently identified NPM and PyPI packages designed to steal user information and download additional payloads. Taking advantage of the broad use of open source code in application development, malicious actors ...
2 years ago Securityweek.com
Malicious npm and PyPI Pose as Developer Tools to Steal Login Credentials - The researchers noted that the packages employ various exfiltration methods to transmit stolen credentials to threat actors, with react-native-scrollpageviewtest using Google Analytics as its exfiltration channel, while the PyPI packages leverage ...
8 months ago Cybersecuritynews.com
New npm attack poisons local packages with backdoors - Two malicious packages were discovered on npm (Node package manager) that covertly patch legitimate, locally installed packages to inject a persistent reverse shell backdoor. In general, when downloading packages from package indexes like PyPI and ...
9 months ago Bleepingcomputer.com
Malicious npm Packages Attacking Linux Developers to Install SSH Backdoors - Discovered in early 2025, several malicious npm packages have been masquerading as legitimate Telegram bot libraries to deliver SSH backdoors and exfiltrate sensitive data from unsuspecting developers. The malicious variants—node-telegram-utils, ...
8 months ago Cybersecuritynews.com
Misconfiguration and vulnerabilities biggest risks in cloud security: Report - The two biggest cloud security risks continue to be misconfigurations and vulnerabilities, which are being introduced in greater numbers through software supply chains, according to a report by Sysdig. While zero trust is a top priority, data showed ...
2 years ago Csoonline.com Hunters
175 Malicious NPM Packages With 26,000 Downloads Found in the Wild - A recent cybersecurity investigation uncovered 175 malicious NPM packages that have been downloaded over 26,000 times, posing significant risks to developers and organizations relying on these packages. These malicious packages were designed to steal ...
3 months ago Cybersecuritynews.com
Ta444 Turn Credential Harvesting Activity: A Comprehensive Guide - The Ta444 cyber threat group is one of the most active cybercriminals in the world, and one of their notable methods is credential harvesting. Credential harvesting is the process of stealing user’s information, such as usernames, passwords, credit ...
2 years ago Securityaffairs.com
CVE-2025-68619 - Signal K Server is a server application that runs on a central hub in a boat. Versions prior to 2.19.0 of the appstore interface allow administrators to install npm packages through a REST API endpoint. While the endpoint validates that the package ...
1 week ago
Malicious NPM Packages Targeting PayPal Users to Steal Sensitive Data - FortiGuard Labs, Fortinet’s AI-driven threat intelligence arm, has uncovered a series of malicious NPM packages designed to steal sensitive information from developers and target PayPal users. Detected between March 5 and March 14, 2025, these ...
9 months ago Cybersecuritynews.com
How To Correlate Web Logs And Network Indicators To Track Credential Theft - To effectively detect credential theft, organizations must collect and analyze logs from a variety of sources, including web servers, authentication systems, proxies, DNS servers, endpoint protection platforms, and network monitoring tools. Common ...
8 months ago Cybersecuritynews.com
GitHub tightens npm security with mandatory 2FA for access tokens - GitHub has announced a significant security enhancement for npm package maintainers by mandating two-factor authentication (2FA) for all access tokens. This move aims to bolster the security of the npm ecosystem, which is critical given the ...
3 months ago Bleepingcomputer.com
New NPM Attack Infecting Local Packages With Cleverly Hidden Malicious Payload - These packages act as downloaders, injecting malicious code into locally installed versions of the legitimate ethers package, ultimately creating a reverse shell on the victim’s machine. The threat actor may have been attempting to ...
9 months ago Cybersecuritynews.com
Threat Actors Hijack Popular npm Packages to Steal The Project Maintainers' npm Tokens - Attackers first harvested maintainer credentials through sophisticated phishing emails, then used these stolen tokens to publish malicious package versions directly to npm repositories without making any corresponding changes to GitHub repositories, ...
5 months ago Cybersecuritynews.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)