HomeTechnology

Ghost Campaign Deploys 7 Malicious npm Packages to Steal Cryptocurrency Wallets and User Credentials

Ghost Campaign

Ghost Campaign Deploys 7 Malicious npm Packages to Steal Cryptocurrency Wallets and User Credentials

Cybersecurity researchers have uncovered a series of malicious npm packages aimed at compromising cryptocurrency wallets and sensitive user information. This alarming discovery, tracked by ReversingLabs as the Ghost campaign, underscores the evolving tactics employed by cybercriminals to exploit trusted software ecosystems.

Overview of the Ghost Campaign

The Ghost campaign is linked to a user identified as “mikilanjillo,” who has published multiple malicious packages on the npm registry. The identified packages include:

  • react-performance-suite
  • react-state-optimizer-core
  • react-fast-utilsa
  • ai-fast-auto-trader
  • pkgnewfefame1
  • carbon-mac-copy-cloner
  • coinbase-desktop-sdk

Lucija Valentić, a software threat researcher at ReversingLabs, stated that these packages employ sophisticated techniques to disguise their true functionality. They simulate npm installation logs to mislead users while phishing for sudo passwords essential for executing the final stage of the attack.

Technical Mechanisms of the Attack

The malicious Node.js libraries not only falsely claim to download additional packages but also introduce random delays to create the illusion of a legitimate installation process. During this phase, users encounter notifications about installation errors due to missing write permissions in the default directory for globally installed Node.js packages on Linux and macOS systems.

Victims are prompted to enter their root or administrator passwords to proceed. If they comply, the malware discreetly retrieves a downloader that connects to a Telegram channel to obtain the final payload URL and the decryption key. This process culminates in the deployment of a remote access trojan capable of harvesting sensitive data, specifically targeting cryptocurrency wallets, while awaiting further instructions from an external command-and-control server.

Connections to GhostClaw

ReversingLabs has observed that the Ghost campaign shares similarities with another activity cluster documented by JFrog, referred to as GhostClaw. Although it remains uncertain whether both campaigns originate from the same threat actor, the overlap in tactics raises significant concerns regarding broader implications for cybersecurity.

GhostClaw’s Approach

According to Jamf Threat Labs, the GhostClaw campaign utilizes GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads targeting macOS systems. These repositories often impersonate legitimate tools, such as trading bots and developer utilities, to enhance their credibility.

Thijs Xhaflaire, a security researcher, noted that many of these repositories have garnered considerable engagement, sometimes exceeding hundreds of stars, which further bolsters their perceived legitimacy. Initially, the repositories contain benign or partially functional code, enabling them to build trust among users before introducing malicious components.

The installation process typically involves executing a shell script that initiates a multi-stage infection, ultimately leading to the deployment of a stealer. The sequence of actions includes:

  • Identifying the host architecture and macOS version, and installing a compatible Node.js version if necessary.
  • Invoking scripts that transition execution to JavaScript payloads, facilitating the theft of system credentials and the delivery of the GhostLoader malware.

Credential Theft and Data Exfiltration

The malicious packages feature a command-line interface (CLI) setup wizard that deceives developers into entering their sudo passwords under the pretense of performing system optimizations. Alessandra Rizzo, a security researcher, explained that the captured passwords are subsequently utilized by a comprehensive credential-stealing payload, which harvests various sensitive data, including browser credentials, cryptocurrency wallets, SSH keys, and cloud provider configurations.

Stolen data is routed to partner-specific Telegram bots, with credentials stored in a Binance Smart Chain (BSC) smart contract. This dual revenue model allows attackers to profit from credential theft while also implementing affiliate URL redirects.

Evolving Threat Landscape

The emergence of the Ghost campaign highlights a significant shift in attacker methodologies. Cybercriminals are increasingly extending their distribution methods beyond traditional package registries, utilizing platforms like GitHub and AI-assisted workflows to introduce malicious code into trusted environments. This trend emphasizes the need for heightened vigilance among developers and organizations that rely on open-source software.

As the cybersecurity landscape continues to evolve, the implications of such campaigns are profound. Organizations must remain proactive in their security measures, ensuring they are equipped to identify and mitigate threats posed by sophisticated cybercriminals.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-03-24 16:00:00 • By FAME Delivered News Desk

FAME Delivered News Desk

Ghost Campaign Deploys 7 Malicious npm Packages to Steal Cryptocurrency Wallets and User Credentials

Ghost Campaign Deploys 7 Malicious npm Packages to Steal Cryptocurrency Wallets and User Credentials

Cybersecurity researchers have uncovered a series of malicious npm packages aimed at compromising cryptocurrency wallets and sensitive user information. This alarming discovery, tracked by ReversingLabs as the Ghost campaign, underscores the evolving tactics employed by cybercriminals to exploit trusted software ecosystems.

Overview of the Ghost Campaign

The Ghost campaign is linked to a user identified as “mikilanjillo,” who has published multiple malicious packages on the npm registry. The identified packages include:

  • react-performance-suite
  • react-state-optimizer-core
  • react-fast-utilsa
  • ai-fast-auto-trader
  • pkgnewfefame1
  • carbon-mac-copy-cloner
  • coinbase-desktop-sdk

Lucija Valentić, a software threat researcher at ReversingLabs, stated that these packages employ sophisticated techniques to disguise their true functionality. They simulate npm installation logs to mislead users while phishing for sudo passwords essential for executing the final stage of the attack.

Technical Mechanisms of the Attack

The malicious Node.js libraries not only falsely claim to download additional packages but also introduce random delays to create the illusion of a legitimate installation process. During this phase, users encounter notifications about installation errors due to missing write permissions in the default directory for globally installed Node.js packages on Linux and macOS systems.

Victims are prompted to enter their root or administrator passwords to proceed. If they comply, the malware discreetly retrieves a downloader that connects to a Telegram channel to obtain the final payload URL and the decryption key. This process culminates in the deployment of a remote access trojan capable of harvesting sensitive data, specifically targeting cryptocurrency wallets, while awaiting further instructions from an external command-and-control server.

Connections to GhostClaw

ReversingLabs has observed that the Ghost campaign shares similarities with another activity cluster documented by JFrog, referred to as GhostClaw. Although it remains uncertain whether both campaigns originate from the same threat actor, the overlap in tactics raises significant concerns regarding broader implications for cybersecurity.

GhostClaw’s Approach

According to Jamf Threat Labs, the GhostClaw campaign utilizes GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads targeting macOS systems. These repositories often impersonate legitimate tools, such as trading bots and developer utilities, to enhance their credibility.

Thijs Xhaflaire, a security researcher, noted that many of these repositories have garnered considerable engagement, sometimes exceeding hundreds of stars, which further bolsters their perceived legitimacy. Initially, the repositories contain benign or partially functional code, enabling them to build trust among users before introducing malicious components.

The installation process typically involves executing a shell script that initiates a multi-stage infection, ultimately leading to the deployment of a stealer. The sequence of actions includes:

  • Identifying the host architecture and macOS version, and installing a compatible Node.js version if necessary.
  • Invoking scripts that transition execution to JavaScript payloads, facilitating the theft of system credentials and the delivery of the GhostLoader malware.

Credential Theft and Data Exfiltration

The malicious packages feature a command-line interface (CLI) setup wizard that deceives developers into entering their sudo passwords under the pretense of performing system optimizations. Alessandra Rizzo, a security researcher, explained that the captured passwords are subsequently utilized by a comprehensive credential-stealing payload, which harvests various sensitive data, including browser credentials, cryptocurrency wallets, SSH keys, and cloud provider configurations.

Stolen data is routed to partner-specific Telegram bots, with credentials stored in a Binance Smart Chain (BSC) smart contract. This dual revenue model allows attackers to profit from credential theft while also implementing affiliate URL redirects.

Evolving Threat Landscape

The emergence of the Ghost campaign highlights a significant shift in attacker methodologies. Cybercriminals are increasingly extending their distribution methods beyond traditional package registries, utilizing platforms like GitHub and AI-assisted workflows to introduce malicious code into trusted environments. This trend emphasizes the need for heightened vigilance among developers and organizations that rely on open-source software.

As the cybersecurity landscape continues to evolve, the implications of such campaigns are profound. Organizations must remain proactive in their security measures, ensuring they are equipped to identify and mitigate threats posed by sophisticated cybercriminals.

As reported by cyberwarriorsmiddleeast.com.

Explore the latest digital editions of FAME Delivered in the Magazine section: https://famedelivered.com/magazine/

Published on 2026-03-24 16:00:00 • By FAME Delivered News Desk

RELATED ARTICLES

Technology

UAE Strengthens AML/CFT/CPF Framework with Robust 2025 Performance Indicators

FAME Delivered News Desk -
UAE Strengthens AML/CFT/CPF Framework with Robust 2025 Performance Indicators Abu Dhabi has announced significant advancements in the United Arab Emirates' (UAE) national framework for Anti-Money...
Technology

Paramount’s Unreleased ‘Legend of Aang’ Film Leak Sparks Major Crisis

FAME Delivered News Desk -
Paramount's Unreleased 'Legend of Aang' Film Leak Sparks Major Crisis On April 12, an anonymous account on X, known as ImStillDissin, posted two brief clips...
Technology

Abdullah bin Zayed Strengthens UAE’s Anti-Money Laundering and Terrorism Financing Strategy in 23rd Committee Meeting

FAME Delivered News Desk -
Abdullah bin Zayed Strengthens UAE's Anti-Money Laundering and Terrorism Financing Strategy in 23rd Committee Meeting Abu Dhabi: H.H. Sheikh Abdullah bin Zayed Al Nahyan, Deputy...
Technology

HBO Max Poised for Historic Emmy Wins as Paramount Merger Looms

FAME Delivered News Desk -
HBO Max Poised for Historic Emmy Wins as Paramount Merger Looms Warner Bros. is on the brink of a significant transition as it prepares for...
Technology

Cybersecurity Strengthens as Essential Infrastructure for UAE Economy Amid Rising Digital Threats

FAME Delivered News Desk -
Cybersecurity Strengthens as Essential Infrastructure for UAE Economy Amid Rising Digital Threats In March 2023, drone strikes targeting Amazon Web Services (AWS) facilities in the...

Latest Posts

Latest Posts

Don't Miss

Subscribe

To be updated with all the latest news, offers and special announcements.