By asahifile NPM Flooded with Malicious Packages Downloaded More Than 86,000 Times
In a recent security alert, it has come to light that attackers are exploiting a significant vulnerability within the Node Package Manager (NPM), allowing them to gain access to the code repository with over 100 credential-stealing packages since August, largely unnoticed.
This troubling discovery was made by the security firm Koi, which detailed a sophisticated campaign dubbed “PhantomRaven.” This campaign has inundated NPM with 126 malicious packages that have collectively been downloaded over 86,000 times, with around 80 of these packages still available, according to Koi.
A Blind Spot in Security
Oren Yomtov, a representative from Koi, emphasized that PhantomRaven demonstrates how adept attackers are at exploiting weaknesses in traditional security practices. A particular concern is the use of “Remote Dynamic Dependencies” (RDD) by NPM, which allows installed packages to autonomously download and run unvetted dependencies from untrustworthy sites.
Traditionally, dependencies are visible to developers when they install a package, typically pulled from a trusted NPM infrastructure. However, RDD changes this: it permits packages to fetch dependencies from untrusted sites—including over unencrypted HTTP connections. The perpetrators behind the PhantomRaven campaign have leveraged this permissiveness by embedding code in the malicious packages that downloads these dependencies from suspicious URLs. Due to their “invisible” nature, developers—and many security scanners—may be unaware that these dependencies exist, as the package will appear to have “0 Dependencies.”
A concerning aspect of this vulnerability is that each installation retrieves dependencies fresh from the attacker’s server, rather than utilizing a static or cached version, presenting a new layer of risk. Koi explained that attackers could tailor their payloads based on the originating IP address, delivering benign code to security researchers and harmful code to corporate networks, thereby complicating detection efforts.
Scope of Data Exfiltration
Once successful, these malicious dependencies scour infected machines for sensitive information, targeting:
- Environment variables that reveal internal configurations.
- Credentials from GitHub, Jenkins, and NPM, which could lead to further supply chain attacks.
- The entire continuous integration and continuous deployment (CI/CD) environment used to manage code integration from multiple developers.
Koi described the methodology for exfiltrating this data as “redundant to the point of paranoia,” involving HTTP requests, JSON requests, and the establishment of WebSockets.
Notably, many of the malicious dependencies use names that have been “hallucinated” by AI chatbots, a phenomenon where these models generate plausible but incorrect information. Since developers often seek dependency names from AI models, PhantomRaven’s use of these mismatched names serves as an additional tactic to deceive users.
What Users Should Do
Individuals and organizations downloading packages from NPM should consult Koi’s post for a list of indicators that their systems may have been compromised by PhantomRaven. These indicators can assist in system audits to verify if they have been targeted.
As this situation unfolds, it’s crucial for developers and firms to ensure they are employing robust security measures when utilizing NPM and to stay informed on the evolving threat landscape associated with package managers.