Attackers are exploiting a major weakness that has allowed them access to the NPM code repository with more than 100 credential-stealing packages since August, mostly without detection. Anyone who regularly downloads packages from NPM should check the Koi post for a list of indicators that their system has been compromised through PhantomRaven. These indicators can be used in system scans to determine whether they’ve been targeted.
https://arstechnica.com/security/2025/10/npm-flooded-with-malicious-packages-downloaded-more-than-86000-times/