The PhantomRaven threat actor published 88 malicious packages to the npm registry across four campaign waves (August 2025 – February 2026), with 81 packages still available as of February 2026, targeting CI/CD credential stores for GitHub Actions, GitLab CI, Jenkins, and CircleCI via typosquatted packages that use postinstall lifecycle hooks to exfiltrate environment variables and secrets. The campaign demonstrates an accelerating, organized operation with infrastructure reuse across waves, and no vendor patch applies — remediation depends entirely on package removal, dependency auditing, and credential rotation for any build environment where affected packages were installed. Audit all npm dependencies for typosquats against Babel, GraphQL Codegen, and related tooling immediately; rotate all CI/CD tokens and secrets in potentially affected build environments; and enforce a private registry or SCA-gated dependency policy to prevent reinfection.