Summary
Key Points:
- A new wave of the PhantomRaven NPM supply chain attack has emerged, utilizing 33 malicious packages to steal developer credentials and secrets.
- The attack impacts developers in DeFi, cloud, and AI sectors, with a sophisticated three-stage payload that bypasses static analysis tools and exfiltrates sensitive information.
- Immediate actions include rotating all credentials from affected environments, blocking C2 infrastructure, and using
--ignore-scriptsduring npm installs to prevent execution of malicious code.
Technical Details: The campaign employs Remote Dynamic Dependencies (RDD) to fetch malicious code from an attacker-controlled server upon package installation. The primary C2 domain is pack[.]nppacks[.]com, which resolves to an AWS EC2 instance.
MITRE ATT&CK Techniques:
- T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
- T1078 - Valid Accounts (Credential Access)
- T1003.001 - OS Credential Dumping: Credentials from Files (Credential Access)
IOCs Mentioned:
- Domains: pack[.]nppacks[.]com, hblnew.ecompk.com
- IP Address: 54.160.138.70
- Malicious Packages: eigenlayer-sdk, @inverse-finance/vesting-contracts, among others.
This summary provides actionable intelligence for security analysts to mitigate risks associated with the ongoing PhantomRaven campaign targeting developer communities.
Join the discussion — sign up to comment, upvote, and save articles.