Skip to content
Close Menu

    Subscribe to Updates

    Get the latest news from tastytech.

    What's Hot

    Nirvanna the Band the Show the Movie the Article

    July 2, 2026

    Driving a manual could reduce dementia risk – study

    July 2, 2026

    MIT in the media: Innovating and educating for the next 250 years of America | MIT News

    July 2, 2026
    Facebook X (Twitter) Instagram
    Facebook X (Twitter) Instagram
    tastytech.intastytech.in
    Subscribe
    • AI News & Trends
    • Tech News
    • AI Tools
    • Business & Startups
    • Guides & Tutorials
    • Tech Reviews
    • Automobiles
    • Gaming
    • movies
    tastytech.intastytech.in
    Home»Tech Reviews»NPM flooded with malicious packages downloaded more than 86,000 times
    NPM flooded with malicious packages downloaded more than 86,000 times
    Tech Reviews

    NPM flooded with malicious packages downloaded more than 86,000 times

    gvfx00@gmail.comBy gvfx00@gmail.comOctober 30, 2025No Comments2 Mins Read
    Share
    Facebook Twitter LinkedIn Pinterest Email



    Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection.

    The finding, laid out Wednesday by security firm Koi, brings attention to an NPM practice that allows installed packages to automatically pull down and run unvetted packages from untrusted domains. Koi said a campaign it tracks as PhantomRaven has exploited NPM’s use of “Remote Dynamic Dependences” to flood NPM with 126 malicious packages that have been downloaded more than 86,000 times. Some 80 of those packages remained available as of Wednesday morning, Koi said.

    Table of Contents

    Toggle
    • A blind spot
      • Related posts:
    • ByteDance has reportedly suspended the global rollout of its new AI video generator
    • Apple finally lets Mac Mini users unleash full AI power using external GPUs without complicated hack...
    • Ansel Adams' Trust Says AI-Colorized Version Of His Work Was Exhibited Without Permission

    A blind spot

    “PhantomRaven demonstrates how sophisticated attackers are getting [better] at exploiting blind spots in traditional security tooling,” Koi’s Oren Yomtov wrote. “Remote Dynamic Dependencies aren’t visible to static analysis.”

    Remote Dynamic Dependencies provide greater flexibility in accessing dependencies—the code libraries that are mandatory for many other packages to work. Normally, dependencies are visible to the developer installing the package. They’re usually downloaded from NPM’s trusted infrastructure.

    RDD works differently. It allows a package to download dependencies from untrusted websites, even those that connect over HTTP, which is unencrypted. The PhantomRaven attackers exploited this leniency by including code in the 126 packages uploaded to NPM. The code downloads malicious dependencies from URLs, including http://packages.storeartifact.com/npm/unused-imports. Koi said these dependencies are “invisible” to developers and many security scanners. Instead, they show the package contains “0 Dependencies.” An NPM feature causes these invisible downloads to be automatically installed.

    Compounding the weakness, the dependencies are downloaded “fresh” from the attacker server each time a package is installed, rather than being cached, versioned, or otherwise static, as Koi explained:

    Related posts:

    Malicious packages for dYdX cryptocurrency exchange empties user wallets

    Not prepared for cloud outages? You should be

    Today's NYT Mini Crossword Answers for April 27

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleIBMs släpper öppen källkod Granite 4.0 Nano – kompakt LLM för laptop och mobil
    Next Article Generative AI Hype Check: Can It Really Transform SDLC?
    gvfx00@gmail.com
    • Website

    Related Posts

    Tech Reviews

    This tiny AI PC stuffs 128GB RAM, 126 TOPS, and a leather handle into one absurd box

    July 1, 2026
    Tech Reviews

    Best 10Gbps Multi-Gig Routers: 2026’s Top Five

    July 1, 2026
    Tech Reviews

    New attack provides one more reason why AI browsers are a bad idea

    July 1, 2026
    Add A Comment
    Leave A Reply Cancel Reply

    Top Posts

    Black Swans in Artificial Intelligence — Dan Rose AI

    October 2, 2025205 Views

    Every Clue That Tony Stark Was Always Doctor Doom

    October 20, 2025129 Views

    We let ChatGPT judge impossible superhero debates — here’s how it ruled

    December 31, 202599 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram

    Subscribe to Updates

    Get the latest tech news from tastytech.

    About Us
    About Us

    TastyTech.in brings you the latest AI, tech news, cybersecurity tips, and gadget insights all in one place. Stay informed, stay secure, and stay ahead with us!

    Most Popular

    Black Swans in Artificial Intelligence — Dan Rose AI

    October 2, 2025205 Views

    Every Clue That Tony Stark Was Always Doctor Doom

    October 20, 2025129 Views

    We let ChatGPT judge impossible superhero debates — here’s how it ruled

    December 31, 202599 Views

    Subscribe to Updates

    Get the latest news from tastytech.

    Facebook X (Twitter) Instagram Pinterest
    • Homepage
    • About Us
    • Contact Us
    • Privacy Policy
    © 2026 TastyTech. Designed by TastyTech.

    Type above and press Enter to search. Press Esc to cancel.

    Ad Blocker Enabled!
    Ad Blocker Enabled!
    Our website is made possible by displaying online advertisements to our visitors. Please support us by disabling your Ad Blocker.