216.73.216.86

PhantomRaven Wave 5: New Undocumented NPM Supply Chain Campaign Targets DeFi, Cloud, and AI Developers

· Published 04/05/2026 16:27 · Modified 04/05/2026 15:00

Export JSON

Essential information

Published
04/05/2026 16:27
Modified
04/05/2026 15:00
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
azure phantomraven remote-dynamic-dependency supply-chain
Tags
2026-05-04 azure phantomraven remote-dynamic-dependency supply-chain
Related entities
1 vulnerabilities (cve), 17 indicators, 17 observables, 1 intrusion sets (apt), 20 techniques (mitre), 8 others

Description

A fifth wave of the NPM supply chain attack campaign has been discovered, utilizing 33 new malicious packages and fresh command-and-control infrastructure registered on March 10, 2026. The operation employs a sophisticated three-stage payload delivery mechanism using Remote Dynamic Dependency techniques to bypass static analysis. Malicious packages self-reference dependencies pointing to attacker-controlled servers at pack[.]nppacks[.]com, which deliver droppers that harvest developer credentials, system information, CI/CD tokens, GitHub repository names, and email addresses from Git configurations, NPM settings, and environment variables. The campaign specifically targets DeFi cryptocurrency developers, cloud infrastructure engineers working with CDK, and AI application developers. All collected data is exfiltrated via POST requests to mozbra.php on the C2 server. Infrastructure analysis reveals connections to a legitimate Pakistani IT services company domain, suggesting potential accou...

External references