Multiple malicious NPM packages published as part of the PhantomRaven Wave 5 supply chain campaign execute a three-stage credential harvesting attack upon installation. Each package contains a self-referencing dependency pointing to an attacker-controlled server (pack.nppacks.com) that automatically downloads and runs a payload via the npm preinstall lifecycle hook. The final payload collects developer email addresses, git and npm configuration, CI/CD environment variables (GitHub Actions, GitLab CI, Jenkins, CircleCI), hostname, and IP addresses, and exfiltrates the data via HTTP POST to pack[.]nppacks[.]com/mozbra.php. The payload is deleted from disk after execution to reduce forensic artifacts. Please remove the package as soon as possible and use an alternative.