NPM flooded with malicious packages downloaded more than 86,000 times

Attackers have exploited a vulnerability in NPM code repository, introducing over 100 credential-stealing packages since August. Security firm Koi identified a campaign called PhantomRaven flooding NPM with 126 malicious packages, downloaded over 86,000 times. These attackers leveraged NPM's Remote Dynamic Dependencies feature to download untrusted packages from HTTP URLs, evading traditional security tools. The code in these packages automatically installs invisible dependencies, making them hard to detect. This incident highlights the increasing sophistication of attackers in exploiting security blind spots.