1. Executive Summary

A large-scale npm supply-chain malware operation, codenamed PhantomRaven npm supply chain malware campaign, flooded the registry with over 120 malicious packages to steal developer and CI/CD credentials using install-time “Remote Dynamic Dependencies.” The threat targets npm users in both local development and build pipelines, aiming to exfiltrate tokens and secrets for downstream compromise. Validated IOCs include the IP 54.173.15.59, domain packages.storeartifact[.]com, and exfil path jpd.php. Business risk is high: theft of Credential Stealing (GitHub Tokens, CI/CD secrets) can enable supply-chain compromise of customers. Confidence: high for scope/IOCs; medium for full package inventory and all infrastructure.

2. Campaign Technical Profile

• Codename and scope
  • The operation is tracked as PhantomRaven, impacting broad sets of npm packages via credential-stealing payloads embedded in Malicious npm Packages.
  • Timeline: First observed around Aug 2025; active into late 2025 (multiple reporting waves). Some takedown activity reported but incomplete; campaign remains operational. Confidence: medium for exact dates; high for ongoing activity.
• Likely motivation and targeting
  • Primary objective: Credential Stealing (GitHub Tokens, CI/CD secrets).
  • Targets: Developers and CI/CD environments (GitHub Actions, GitLab, Jenkins, CircleCI) consistent with Token theft from developer machines and CI/CD environments.
• Package taxonomy and lures
  • Distribution via slopsquatting/impersonation themes (e.g., AI-generated or “helper” packages) to increase install likelihood. READMEs and names suggest legitimacy. Confidence: medium (consistent with multiple OSINT summaries).
• RDD mechanism and install-time callbacks
  • Packages use Remote Dynamic Dependencies (RDD): they declare zero dependencies yet fetch and execute remote code at install (e.g., via npm lifecycle scripts).
  • Why it evades static checks: No declared dependency tree, minimal on-registry payload, and network retrieval occurs at install, bypassing static SCA/detectors that only analyze package tarballs or metadata.
  • Observed infrastructure: remote stagers/C2 at packages.storeartifact[.]com and IP 54.173.15.59; exfil endpoint path jpd.php.
  • Execution phase aligns to MITRE ATT&CK Execution (TA0002) triggered during npm install.
  • Persistence: No durable persistence confirmed; activity appears primarily install-time with token/secret theft and immediate exfil. Confidence: medium.
• Exfiltration channels
  • HTTP GET/POST (including PHP endpoints like jpd.php), WebSocket, and use of Telegram. Confidence: high for HTTP; medium for WebSocket/Telegram usage noted in OSINT.

3. ATT&CK Mapping & Kill Chain

Attack lifecycle overview:

• Initial Access: npm package install of trojanized packages.
• Execution: install-time scripts fetch and run remote code.
• Credential Access: scraping tokens/secrets from env and config.
• Exfiltration: outbound HTTP/WS or Telegram to attacker infra.
• Impact: unauthorized code publishes, pipeline edits, and downstream compromise.

TTPs table

4. Indicators & Assets

Validated IOCs

• Domain: packages.storeartifact[.]com
  • Role: Stager/C2/exfil endpoint
  • First_seen: Unknown (public OSINT); Last_seen: 2025-10-31 (OSINT snapshot)
  • Confidence: High
  • Source: Multi-source OSINT (Firecrawl summaries)
• IP: 54.173.15.59
  • Role: Hosting attacker web service (stager/exfil)
  • First_seen: 2025-10-31T08:13:54Z (VT/Shodan observation)
  • Last_seen: 2025-10-31 (OSINT snapshot)
  • Confidence: High
  • Source: VirusTotal, Shodan
• URL path: jpd.php
  • Role: Exfil receiver script
  • First_seen: Unknown; Last_seen: 2025-10-31 (OSINT snapshot)
  • Confidence: Medium-High
  • Source: Firecrawl OSINT

Malicious package set

• Family: Malicious npm Packages
  • Count: ~126 (OSINT consensus)
  • Naming themes: slopsquatting/impersonation; AI-generated helper libs
  • Confidence: High on presence/scale; Low on complete inventory in this report

Other entities

• Campaign: PhantomRaven
• Ecosystem: npm

Note: No file hashes or publisher accounts were conclusively validated in this dataset.

5. Developer & CI/CD Risk Assessment

• Local developer boxes
  • Threats: Theft of npm tokens, PATs, SSH keys, and cloud credentials; reading .npmrc/.gitconfig; environment variable scraping.
  • Impact: Account takeover; ability to publish malicious versions; access to private repos; credential re-use across services.
• Build agents (GitHub Actions, GitLab CI, Jenkins, CircleCI)
  • Threats: Theft of ephemeral or stored CI secrets; substitution of workflows/pipelines; tampering with release artifacts.
  • Impact: Supply-chain poisoning of downstream customers; silent credential exfil; persistence via modified pipelines.
• Token abuse scenarios
  • npm token misuse: unauthorized publish, unpublish, or org-level package takeover.
  • GitHub/GitLab PATs: repo pushes, workflow edits, adding malicious Actions, or disabling protections.
  • Jenkins/CircleCI: pipeline config edits, adding exfil steps, artifact repository poisoning.
• Blast radius
  • From a compromised runner, lateral movement through SCM permissions, artifact registries, and secrets managers is feasible if tokens are broadly scoped or long-lived.

6. Detection & Hunting Playbook

High-signal focus areas

• Network
  • Outbound HTTP/WS during npm install from dev or CI nodes to unknown domains, especially packages.storeartifact[.]com or IP 54.173.15.59; POSTs to PHP endpoints like jpd.php; unusually long query strings; WS upgrades from build hosts.
• Host
  • Node/JS processes spawned by npm/pnpm/yarn performing network egress, reading token files (.npmrc), or enumerating environment variables; spawning shells (sh, bash, powershell).
• Repo/CI telemetry
  • Sudden dependency changes introducing install-time network fetches; publish events from new IPs; workflow/pipeline modifications without PR review.

Example Sigma rules (generic, Windows/Linux/macOS)

• Suspicious Node child-process tree on developer/CI hosts
  • Title: Node spawning shell during npm install
  • Log source: process creation (Sysmon, auditd, OpenBSM)
  • Selection:
    • ParentImage: (npm|yarn|pnpm|node)
    • Image: (sh|bash|zsh|powershell.exe|cmd.exe|curl|wget)
  • Condition: selection and ParentCommandLine contains "install"
  • False positives: legitimate postinstall scripts; tune per org.
• Node reading sensitive config
  • ParentImage: (npm|yarn|pnpm)
  • Image: (node)
  • CommandLine contains (".npmrc"|".gitconfig")

Elastic (ES|KQL) examples

• Anomalous npm network egress during builds
  • process.name:(npm or yarn or pnpm) and process.command_line:(install) and destination.domain:(packages.storeartifact.com) or destination.ip:(54.173.15.59)
• POST to PHP exfil endpoints
  • network.protocol:http and http.request.method:POST and url.path:(.php or jpd.php) and host.hostname:(ci- or runner-*)

Splunk examples

• npm install with outbound
  • index=network (process=npm OR process=yarn OR process=pnpm) "install" (dest_domain=packages.storeartifact[.]com OR dest_ip=54.173.15.59)
• Exfil via PHP path
  • index=proxy http_method=POST (uri_path="/jpd.php" OR uri_path=".php") (src_host=build* OR src_host=dev*)

YARA (if applicable to staged artifacts)

• Scope: JS files that include install-time network fetch and PHP path tokens
  • rule phantomraven_install_fetch
    • strings: "npm install" "http" "/jpd.php" "process.env"
    • condition: 2 of them
  • Note: Use cautiously; high FPs; tune with org-specific context.

7. Prevention & Hardening

• Dependency controls
  • Enforce lockfile pinning; prevent auto-upgrades in CI.
  • In CI where feasible: npm config set ignore-scripts true.
  • Restrict build egress by ACLs; allowlist only required registries/domains.
  • Use artifact proxies/private registries; quarantine new packages.
  • SCA/Policy: flag packages that execute install scripts or fetch HTTP URLs at install; alert on zero-dependency packages with network activity.
• Identity and secrets
  • Enforce 2FA for publishers; rotate org tokens; use least-privilege, short-lived PATs.
  • Secret scanning for .npmrc, PATs, cloud keys in repos and build logs.
  • Store CI secrets in dedicated vaults with scoped access; minimize runner secret exposure.
• Operational
  • Monitor publishes for new IP geos; require code-signing and provenance attestations for releases.
  • Require PR reviews for pipeline changes; protect main branches.

8. Incident Response Guide (If Exposure Found)

• Containment (immediate)
  • Isolate affected developer machines/runners; block 54.173.15.59 and packages.storeartifact[.]com; disable compromised accounts; revoke npm/SCM/CI tokens.
• Eradication
  • Wipe/rebuild infected hosts; reimage CI runners.
  • Validate package integrity and lockfiles; remove suspect dependencies.
  • Review commit history, workflow/pipeline changes, and publish events for unauthorized edits.
• Recovery
  • Rotate org-wide secrets (npm, GitHub, GitLab, Jenkins, CircleCI).
  • Re‑sign releases; rebuild from clean environments; restore pipelines from trusted code.
  • Retrospective monitoring window: at least 90 days of network/identity logs.
• Communications
  • Internal advisory to engineering, security, and leadership with IOCs, affected repos/packages, actions taken, and required developer steps (token rotation, workstation rebuilds as needed).

9. Business Impact & Risk Quantification

• Developer machines
  • Likelihood: High (wide package distribution); Impact: High (account takeover, repo access).
  • Result: Elevated risk to IP and internal repos; potential for credential reuse across services.
• CI/CD
  • Likelihood: Medium-High (pipeline installs execute scripts); Impact: Very High (release tampering, supply-chain impact).
  • Result: Potential to push malicious releases; compliance and trust erosion.
• Downstream customers
  • Likelihood: Medium (depends on compromise chain); Impact: Very High (malicious updates).

‍

‍