Operational patterns challenge “research experiment” claim: Despite the new waves, PhantomRaven’s core functionality has remained largely unchanged, the researchers said. They found that 257 out of 259 lines of the malware payload are identical across all waves, with the only significant modification being the command-and-control domain used to receive stolen data.Instead, the attacker focused on operational changes designed to stay ahead of takedowns. These include rotating npm accounts, modifying package descriptions and metadata, and registering new domains with similar naming patterns such as “storeartifact,” “jpartifacts,” and “artifactsnpm.”Additionally, the campaign employed Slopsquatting to publish packages mimicking Babel plugins, GraphQL tooling, ESLint presets, and other widely used development utilities.Endor Labs’ blog post was later updated to reflect claims that the packages were part of a legitimate research experiment intended to study malicious package detection. “Allegedly, the packages have been produced by a security researcher known in the community,” the update read. “However, several characteristics strongly support classifying these packages as malware rather than legitimate research artifacts.” Endor Labs’ contention with the claim included the presence of active command-and-control servers, credential harvesting routines targeting developer environments, and active data exfiltration mechanisms. “In addition, the packages provide no indication whatsoever that they are part of a research experiment, neither in a README nor through console messages or package metadata, leaving affected users without any transparency,” the researchers said.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4144231/phantomraven-returns-to-npm-with-88-bad-packages.html
