Npm

• PhantomRaven: How a Four-Wave npm Campaign Used Remote Dynamic Dependencies to Beat Package Scanning March 12, 2026

  PhantomRaven ran four waves of malicious npm packages from August 2025 to February 2026, stealing developer credentials via a technique called Remote Dynamic Dependencies that places the payload outside the package -- making it invisible to every scanner that inspects package contents.