Researchers uncover PhantomRaven, a 126-package npm attack stealing GitHub tokens via remote dependencies.

The Tidyverse Blog offers insights, tutorials, and updates on the Tidyverse, a collection of R packages for data science and statistical computing. Covering topics such as data manipulation, visualization, and analysis, the blog provides resources for R developers looking to leverage the power of the Tidyverse for their data projects. Developers can learn how to use Tidyverse packages effectively to clean, transform, and analyze data in R.

The Hacker News

A sophisticated supply chain attack campaign called PhantomRaven has compromised 126 npm packages with over 86,000 installs. The malware steals GitHub tokens, CI/CD secrets, and authentication credentials by hiding malicious code in remote dependencies fetched from attacker-controlled servers. The attack exploits npm's lifecycle scripts and evades security scanners by pointing to external URLs instead of npmjs.com. Attackers use slopsquatting techniques, registering package names that LLMs hallucinate, making them appear legitimate to developers.

PhantomRaven Malware Found in 126 npm Packages Stealing GitHub Tokens From Devs