■ LIVE INTEL
Sentinel APEX — AI-Powered Threat Intelligence Platform ▲ Upgrade to Enterprise — Unlimited API Access Security Tools Hub — 50+ Free Cyber Tools CVE & Threat Intelligence API — Free Tier Available CYBERDUDEBIVASH Corporate Portal — Enterprise Services API Documentation — RESTful Threat Intel API v1 Global AI Cybersecurity Leader — CYBERDUDEBIVASH.COM Sentinel APEX — AI-Powered Threat Intelligence Platform ▲ Upgrade to Enterprise — Unlimited API Access Security Tools Hub — 50+ Free Cyber Tools CVE & Threat Intelligence API — Free Tier Available CYBERDUDEBIVASH Corporate Portal — Enterprise Services API Documentation — RESTful Threat Intel API v1 Global AI Cybersecurity Leader — CYBERDUDEBIVASH.COM
■ Sentinel APEX ■ Tools Hub ■ API Platform ■ API Docs ■ Corporate ■ Main Site ■ Blog Hub ▲ UPGRADE NOW
SENTINEL APEX ECOSYSTEM — LIVE

AI-Powered
Cyber Intelligence
For The Enterprise

Real-time CVE analysis, APT tracking, malware intelligence, and autonomous SOC capabilities. Trusted by security teams worldwide.

■ Launch Sentinel APEX {} Explore API ▲ Enterprise Plans
🛡
Sentinel APEX
AI threat intelligence hub with live CVE & APT feeds
FLAGSHIP
Threat Intel API
RESTful API — CVE, malware, APT data streams
FREE TIER 🔧
Security Tools
50+ free cyber tools — scanner, analyzer, encoder
FREE
Enterprise Plans
Unlimited API, SOC integration, priority support
UPGRADE 🏢
Corporate Portal
Enterprise security consulting & services
CORPORATE 📄
API Docs
Full API reference, endpoints, auth guide
DOCS
LIVE THREAT INTELLIGENCE FEED
VIEW FULL DASHBOARD ↗
SENTINEL APEX
AI Threat Intel Platform
intel.cyberdudebivash.com ↗
THREAT API
Checking status...
API Platform ↗
LATEST CVE
Loading...
Live from Sentinel APEX API
AI SUMMARY
Loading...
▲ Upgrade for full access
CYBERDUDEBIVASH ECOSYSTEM
ALL SYSTEMS LIVE
FLAGSHIP PLATFORM
Sentinel APEX
intel.cyberdudebivash.com
REST API
Threat Intel API
intel.cyberdudebivash.com/api
FREE TOOLS
Security Tools Hub
tools.cyberdudebivash.com
ENTERPRISE
Upgrade to Pro
intel.cyberdudebivash.com/upgrade
CORPORATE
Corporate Portal
cyberdudebivash.in
MAIN SITE
cyberdudebivash.com
www.cyberdudebivash.com
#CyberDudeBivash #CyberBivash #npm #SupplyChain #PhantomRaven #GitHub #DevSecOps #TokenTheft #ThreatWire

Is Your Project Compromised? Check for the 126 Malicious npm Packages in the PhantomRaven Attack.

CYBERDUDEBIVASH


Author: CyberDudeBivash
Powered by: CyberDudeBivash Brand | cyberdudebivash.com
Related: cyberbivash.blogspot.com

Published by CyberDudeBivash • Date: Oct 30, 2025 (IST)

Is Your Project Compromised? Check for the 126 Malicious npm Packages in the PhantomRaven Attack

A new npm supply-chain campaign called PhantomRaven pushes 126 malicious packages with 86,000+ downloads, exfiltrating GitHub tokens, npm credentials, and CI/CD secrets via “invisible dependencies.” Audit and clean your projects now. 

TL;DR — Audit Now, Rotate Tokens, Lock Your Pipeline

  • Campaign: PhantomRaven uses 126 malicious npm packages (since Aug 2025) with >86k downloads to steal tokens/secrets. 
  • Technique: “Invisible dependencies” and obfuscated install scripts to evade basic scanners. 
  • Action: Identify tainted deps → remove & reinstall clean → rotate GitHub/npm/CI tokens → enable provenance/2FA → enforce extension/package allowlists.

What We Know About PhantomRaven

  • Scale: 126 packages; >86,000 downloads. 
  • Target: Developer machines and CI — stealing GitHub tokens, npm tokens, cloud keys
  • Tactics: Obfuscated installers, hidden/“invisible” deps, immediate exfiltration via HTTP to attacker infra. 
  • Timeline: Active since Aug 2025; multiple writeups surfaced Oct 29–30, 2025. 

Immediate Self-Check (15 Minutes)

  1. List installed deps: 
    npm ls --all --json > deps-tree.json
    Scan for recently added/unknown publishers; compare with writeups’ package lists (see Sources).
  2. Search lockfiles for suspicious/new names: 
    grep -Ei "phantom|raven|obfus|postinstall|preinstall" package-lock.json
  3. Block install scripts temporarily while triaging: 
    npm config set ignore-scripts true
  4. Check npm auth: 
    npm token list
    Revoke anything you don’t recognize.
  5. GitHub audit: Settings → Developer settingsPersonal access tokens & SSH/GPG keys; remove unknown keys/apps; review recent security logs.

Cleanup & Token Rotation (Do This Even If Unsure)

  1. Remove suspects from package.json and lockfile. Then: 
    rm -rf node_modules package-lock.json && npm ci
  2. Rotate credentials immediately:
    • Revoke/regenerate GitHub PATs, npm tokens, registry creds, and CI secrets.
    • Replace any long-lived cloud keys with short-lived, scoped tokens.
  3. Artifact hygiene: Rebuild artifacts from clean state; invalidate suspicious builds, caches, and Docker layers.
  4. Restore installs safely: After cleanup, re-enable scripts only for trusted packages you control: 
    npm config delete ignore-scripts

Hardening npm + GitHub + CI/CD

  • 2FA everywhere (GitHub org required), enforce SSO, and enable provenance/attestations for packages.
  • Private registries/allowlists: mirror and pin vetted packages; block unknown publishers by default.
  • Review diffs on dependency bumps; forbid unreviewed postinstall/preinstall scripts.
  • EDR/SWG egress watch: alert on zipping large repos + HTTP POST to new domains right after npm i.
  • SBOM + SCA: generate SBOM (CycloneDX) and scan for tainted transitive deps; fail builds on hits.

Enterprise Guardrails & Policies

  • Registry policy: Force all installs through an internal proxy/Artifactory with curated allowlists.
  • Least-privilege CI: ephemeral runners, no long-lived PATs, OIDC-based temp creds, outbound egress allow-list.
  • Extension governance: combine with VS Code extension allowlists (recent waves abused dev tools). 
  • Incident comms: org-wide bulletin—rotate tokens, verify repos, and re-build from clean state.

FAQ

Where can I see the full list of 126 packages?

Research posts and newsrooms list the campaign’s packages and indicators; start with Koi’s analysis and newsroom recaps today.

We use only transitive dependencies—are we still at risk?

Yes. PhantomRaven abuses transitive/“invisible” deps to hide malicious code in the install path. Audit lockfiles and SBOMs. 

Is this tied to other npm waves?

It follows other large npm compromises this fall; the pattern (token theft → package takeover → wormy spread) mirrors recent campaigns. Use strict allowlists and provenance. 

CyberDudeBivash Services, Apps & Ecosystem

Services (Hire Us)

  • Software Supply-Chain Reviews (npm, registries, build systems)
  • Incident Response: Token Rotation & Repo Remediation
  • Developer Endpoint Hardening & EDR Tuning
  • Secure Build Provenance & Release Signing Programs

Our Departments & Pages

Sources

  • Koi Security — “PhantomRaven: NPM Malware Hidden in Invisible Dependencies” (Oct 29, 2025): 126 packages; 86k+ downloads; token/secret theft. 
  • BleepingComputer — “PhantomRaven attack floods npm with credential-stealing packages” (Oct 29, 2025): campaign details, downloads, timeline. 
  • The Hacker News — “PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens” (Oct 30, 2025). 
  • CyberSecurityNews — “PhantomRaven Attack Involves 126 Malicious npm Packages…” (Oct 30, 2025). 
  • Dark Reading / Infosecurity — on “invisible dependencies” evasion used in npm malware. 
POWERED BY SENTINEL APEX
Get Full Threat Intelligence Access
Live CVE feeds, APT tracking, malware analysis, AI summaries & enterprise SOC integration
LAUNCH PLATFORM ▲ UPGRADE
▸▸ LATEST THREAT ADVISORIES
⎯⎯⎯ NAVIGATE INTELLIGENCE REPORTS ⎯⎯⎯
■ LOADING NAVIGATION...