Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
DHS Confirms Breach of HSIN Information Sharing Network
July 2, 2026
ChatGPT Flaw Exposes User Files, Poses System Access Risk
July 2, 2026
Critical Oracle E-Business Suite CVE-2024-21094 exploited, exposing 900+ instances
July 2, 2026
Home/Threats/New npm Supply Chain Attack Hides RAT Malware in Fake Install Messages
Threats

New npm Supply Chain Attack Hides RAT Malware in Fake Install Messages

Key Takeaways A new software supply chain attack, dubbed “Ghost campaign,” is actively targeting developers via the npm package registry. The campaign uses sophisticated fake installation...

Sarah simpson
Sarah simpson
March 26, 2026 4 Min Read
30 0

Key Takeaways

  • A new software supply chain attack, dubbed “Ghost campaign,” is actively targeting developers via the npm package registry.
  • The campaign uses sophisticated fake installation logs and sudo password phishing to deploy remote access Trojan (RAT) malware.
  • Seven malicious npm packages, published by user “mikilanjillo,” were initially identified by ReversingLabs, with a wider cluster, “GhostClaw,” later documented by JFrog.
  • The RAT is designed to steal cryptocurrency wallets, harvest sensitive data, and maintain persistent, hidden access to compromised systems.
  • Developers should never enter sudo passwords during npm installs and must verify package authenticity to mitigate risk.

A sophisticated new software supply chain attack, active since early February 2026, is deceiving developers by camouflaging remote access Trojan (RAT) malware within meticulously crafted fake npm installation messages. Researchers at ReversingLabs have exposed this campaign, which they’ve named the “Ghost campaign,” highlighting its innovative methods for evading detection.

Table Of Content

  • Key Takeaways
  • The Deceptive Installation Process
  • RAT Deployment and Data Exfiltration
  • Infection Mechanism: Fake Logs and Sudo Phishing
  • What You Should Do

This operation leverages specially constructed npm packages designed to trick developers into divulging their system credentials while simultaneously deploying a RAT onto their machines. The initial findings by ReversingLabs analysts in early February 2026 pinpointed seven suspicious packages published by an npm user identified as “mikilanjillo.”

The Deceptive Installation Process

The attack sequence begins the moment a developer installs one of these rogue packages. Rather than raising immediate red flags, the package simulates a legitimate npm installation. This simulation includes displaying realistic log messages, a progress bar, and even incorporating random delays to enhance the illusion of a normal, lengthy installation process. Crucially, none of the packages purportedly being downloaded actually exist; their names are randomly generated from a predefined list. This intricate layer of deception makes it exceedingly difficult for even seasoned developers to discern the malicious activity.

The identified malicious packages include react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk. ReversingLabs researchers emphasized the novelty of using fake installation logs to conceal malicious behavior, noting it as a significant evolution in how threat actors operate within open-source ecosystems to maintain stealth.

RAT Deployment and Data Exfiltration

The final stage of the attack involves the deployment of a RAT specifically engineered to steal cryptocurrency wallets, exfiltrate sensitive data, and establish a persistent backdoor for remote command execution from attacker-controlled servers. The necessary payload URLs and decryption keys are retrieved from a Telegram channel. In the case of the coinbase-desktop-sdk package, these details were cleverly embedded within a web3 post on teletype.in, designed to mimic legitimate blockchain documentation. Once activated, the malware operates silently in the background, granting attackers persistent and largely undetectable access to the compromised system.

The scope of this campaign extends beyond the initial seven packages. In March 2026, JFrog documented a related cluster, which they termed “GhostClaw,” exhibiting shared techniques and infrastructure with the findings from ReversingLabs. Further analysis by Jamf Threat Labs revealed that the campaign propagates through GitHub repositories masquerading as legitimate developer tools, such as trading bots and SDKs. These repositories are initially populated with benign code and left dormant for extended periods to cultivate user trust before the malicious components are surreptitiously introduced.

Infection Mechanism: Fake Logs and Sudo Phishing

A particularly insidious aspect of this campaign is its method for tricking developers into surrendering their sudo passwords. During the simulated installation, the malicious package generates an error message claiming a lack of write permissions to /usr/local/lib/node_modules—a common global package directory on Linux and macOS systems. The developer is then prompted to enter their root password to resolve this purported issue and complete the installation. This tactic is highly effective because permission errors during npm installations are frequent, making the request for a password appear entirely plausible within that context.

Upon the developer entering and confirming their password, the malware’s downloader executes silently in the background, while the fake log output continues to scroll, masking the true activity. The downloader then connects to a Telegram channel to retrieve the final payload URL and its corresponding decryption key. In one observed instance, these critical details were concealed within a blockchain-themed post on teletype.in. The decrypted RAT payload is subsequently written to disk and executed using the stolen sudo password, granting the attackers full system-level access.

What You Should Do

  • Never Enter Sudo Passwords: Legitimate npm packages do not require system-level (sudo or root) access during installation. Treat any such prompt as a critical warning sign.
  • Verify Package Authenticity: Before installing any npm package, thoroughly examine the package author’s history and the repository’s activity. Look for established reputations and consistent contributions.
  • Utilize Security Scanning Tools: Implement automated security scanning tools in your development workflow to detect suspicious scripts or anomalies within packages and dependencies.
  • Enforce Strict Dependency Review: Organizations should establish and enforce rigorous dependency review processes to vet all third-party code introduced into projects.
  • Monitor for Anomalous Network Activity: Be vigilant for unusual network connections or processes running in the background after installing new packages, as these could indicate RAT activity.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Sarah simpson

Sarah simpson

Sarah is a cybersecurity journalist specializing in threat intelligence and malware analysis. With over 8 years of experience covering APT groups, zero-day exploits, and advanced persistent threats, Sarah brings deep technical expertise to breaking cybersecurity news. Previously, she worked as a security researcher at leading threat intelligence firms, where she analyzed malware samples and tracked cybercriminal operations. Sarah holds a Master's degree in Computer Science with a focus on cybersecurity and is a regular contributor to major security conferences.

Previous Post

Fake VS Code Security Alerts on GitHub Push Malware

Next Post

Kiss Loader Malware Uses Early Bird APC Injection in New Attack Campaign

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Opera’s New Paste Protect Blocks Clipboard Attacks, Including ClickFix
July 2, 2026
JADEPUFFER Ransomware Targets Cloud API Keys with Python Payloads
July 2, 2026
ValleyRAT Malware Uses Malicious VLC DLL to Attack Systems
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us