{"id":5607,"date":"2025-10-31T00:42:20","date_gmt":"2025-10-31T00:42:20","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5607"},"modified":"2025-10-31T00:42:20","modified_gmt":"2025-10-31T00:42:20","slug":"malicious-packages-in-npm-evade-dependency-detection-through-invisible-url-links-report","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5607","title":{"rendered":"Malicious packages in npm evade dependency detection through invisible URL links: Report"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks.<\/p>\n

The latest example was found by researchers at Israel-based Koi Security, who this week said they have discovered a threat actor\u2019s campaign<\/a> that has been running since August, contaminating 126 packages in Microsoft\u2019s npm open source code repository. There have been more than a combined 86,000 installs of these infected packages, and the campaign is continuing.<\/p>\n

What\u2019s the trick? The bad packages don\u2019t contain malicious code that could be detected by a scanner. Instead, there\u2019s an invisible link to a URL that, when the package is installed by a developer, fetches malicious code from the attacker\u2019s server.<\/p>\n

The invisible dependency could be hidden behind a line that simply says \u2018Hello.\u2019<\/p>\n

\u201cWhen you install a package with this kind of dependency, npm fetches it from that external URL,\u201d the researchers note. \u201cNot from npmjs.com, from wherever the attacker wants. And npmjs.com doesn\u2019t follow those URLs. Security scanners don\u2019t fetch them. Dependency analysis tools ignore them. To every automated security system, these packages show \u201c0 Dependencies.\u201d So, to the developer who downloaded an infected package from npm, the package looks safe.<\/p>\n

Why does it work?<\/h2>\n

This works, say the researchers, because npm supports HTTP URLs as dependency specifiers, so when the malicious package is installed, npm automatically fetches it from the external URL.<\/p>\n

The goal: To steal developer GitHub, GitLab, Jenkins and other credentials, and to obtain an outline of the developer\u2019s environment \u2013 including public IP addresses, server hostnames, usernames, current directories and node.js version \u2013 for further exploitation. The data is then carefully exfiltrated.<\/p>\n

Campaign also exploits AI<\/h2>\n

The names of packages uploaded to npm aren\u2019t typosquats of common packages, a popular tactic of threat actors. Instead the hackers exploit AI hallucinations. When developers ask AI assistants for package recommendations, the chatbots sometimes suggest plausible-sounding names that are close to those of legitimate packages, but that don\u2019t actually exist. These are the names the threat actor uses. So if a developer asks an AI assistant about a package called \u2018eslint-plugin-unused-imports\u2019 the chatbot might suggest the (unknowingly malicious) \u2018unusued-imports\u2019 package, and the developer might trust the recommendation and install that package.<\/p>\n

Koi Security calls the tactic slopsquatting. They call the overall campaign PhantomRaven.<\/p>\n

At some point, npm leadership either discovered this campaign on its own or was alerted by other researchers, because in August, 21 packages were removed from the repository. However, after September, 80 additional packages were uploaded. All, Koi Security believes, were clearly controlled by the same person.<\/p>\n

\u2018Disastrous\u2019 flaw in npm<\/h2>\n

This is a \u201cdisastrous\u201d systemic design flaw in npm\u2019s dependency management functionality, Tanya Janca<\/a>, head of Canadian secure coding training firm She Hacks Purple Consulting, told CSO. <\/em>The lack of validation for dependency URLs bypasses the trust boundary for the Node.js software supply chain, she said.<\/p>\n

Few programming languages allow dependencies to be specified via URLs, and even most of those that do have package managers that block this feature due to security concerns, she said. For instance, she pointed out, it\u2019s allowed in Python, but the open source Python Package Index repository of packages (PyPI) blocks this functionality.<\/p>\n

The danger of the PhantomRaven attacks is that an threat actor can compromise developer and build systems, rather than end users directly, Janca said. \u201cBecause Node.js and npm are used by millions of projects, even a single compromised package can have cascading effects across that entire software ecosystem,\u201d she said.<\/p>\n

The attack is called an \u2018unvalidated redirect\u2019 [accepting an untrusted URL as data] and was on the Open Web Application Security Project\u2019s (OWASP) Top Ten <\/a>attacks as far back as in 2013, Janca said.<\/p>\n

\u201cInput validation is the number one most important step in all secure coding practices, and this feature of npm circumventing the developer\u2019s ability to even be aware that this is happening is terrifying. This attack vector is likely to be use by many attackers in the near future until this is removed by npm.\u201d<\/p>\n

Microsoft was asked to comment on the Koi report and asked how it will better secure npm. A spokesperson said they were working on a reply but none had been received by publication deadline.<\/p>\n

\u2018Invisible\u2019 attacks<\/h2>\n

Threat actors have been using invisible code to fool defenders in many ways. For example, in August, a security blogger reported<\/a> that Amazon\u2019s Q Developer service could be fooled by invisible Unicode Tag characters. In another case, Unicode was used to hide malware<\/a> in Visual Studio code extensions.<\/p>\n

Oren Yomtov<\/a>, author of the Koi Security report, said that Microsoft should enhance npm\u2019s scanning tools to follow and analyze remote dependency URLs rather than ignoring them. Currently, security scanners don\u2019t fetch HTTP URL dependencies, and dependency analysis tools ignore them, he said, making packages with remote dynamic dependencies appear to have \u201c0 Dependencies.\u201d Microsoft should also require security validation for any externally fetched dependencies.<\/p>\n

Developers shouldn\u2019t blindly trust AI tools for package recommendations, he added. As the report points out, when developers ask AI assistants like GitHub Copilot or IDEs like Cursor for package recommendations, the models sometimes suggest plausible-sounding package names that don\u2019t actually exist. PhantomRaven took advantage of this, and created malicious versions of those non-existent packages. \u201cAlways verify packages exist on the official npm registry before installation,\u201d he advised, \u201cand audit package.json files for suspicious HTTP URL dependencies.\u201d<\/p>\n

In addition, CSOs should have endpoint visibility into all software types, not just traditional binaries. \u201cPhantomRaven demonstrates how sophisticated attackers exploit blind spots in traditional security tooling, as remote dynamic dependencies aren\u2019t visible to static analysis,\u201d he said. \u201cImplement governance controls across the entire software intake surface, including code packages, extensions, and AI models that traditional MDMs and EDRs miss.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Threat actors are finding new ways to insert invisible code or links into open source code to evade detection of software supply chain attacks. The latest example was found by researchers at Israel-based Koi Security, who this week said they have discovered a threat actor\u2019s campaign that has been running since August, contaminating 126 packages […]<\/p>\n","protected":false},"author":0,"featured_media":5608,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5607","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5607"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5607"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5607\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5608"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5607"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5607"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5607"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}