New npm Supply Chain Attack Hides RAT Malware in Fake Install Messages
Key Takeaways A new software supply chain attack, dubbed “Ghost campaign,” is actively targeting developers via the npm package registry. The campaign uses sophisticated fake installation...
Key Takeaways
- A new software supply chain attack, dubbed “Ghost campaign,” is actively targeting developers via the npm package registry.
- The campaign uses sophisticated fake installation logs and sudo password phishing to deploy remote access Trojan (RAT) malware.
- Seven malicious npm packages, published by user “mikilanjillo,” were initially identified by ReversingLabs, with a wider cluster, “GhostClaw,” later documented by JFrog.
- The RAT is designed to steal cryptocurrency wallets, harvest sensitive data, and maintain persistent, hidden access to compromised systems.
- Developers should never enter sudo passwords during npm installs and must verify package authenticity to mitigate risk.
A sophisticated new software supply chain attack, active since early February 2026, is deceiving developers by camouflaging remote access Trojan (RAT) malware within meticulously crafted fake npm installation messages. Researchers at ReversingLabs have exposed this campaign, which they’ve named the “Ghost campaign,” highlighting its innovative methods for evading detection.
Table Of Content
This operation leverages specially constructed npm packages designed to trick developers into divulging their system credentials while simultaneously deploying a RAT onto their machines. The initial findings by ReversingLabs analysts in early February 2026 pinpointed seven suspicious packages published by an npm user identified as “mikilanjillo.”
The Deceptive Installation Process
The attack sequence begins the moment a developer installs one of these rogue packages. Rather than raising immediate red flags, the package simulates a legitimate npm installation. This simulation includes displaying realistic log messages, a progress bar, and even incorporating random delays to enhance the illusion of a normal, lengthy installation process. Crucially, none of the packages purportedly being downloaded actually exist; their names are randomly generated from a predefined list. This intricate layer of deception makes it exceedingly difficult for even seasoned developers to discern the malicious activity.
The identified malicious packages include react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk. ReversingLabs researchers emphasized the novelty of using fake installation logs to conceal malicious behavior, noting it as a significant evolution in how threat actors operate within open-source ecosystems to maintain stealth.
RAT Deployment and Data Exfiltration
The final stage of the attack involves the deployment of a RAT specifically engineered to steal cryptocurrency wallets, exfiltrate sensitive data, and establish a persistent backdoor for remote command execution from attacker-controlled servers. The necessary payload URLs and decryption keys are retrieved from a Telegram channel. In the case of the coinbase-desktop-sdk package, these details were cleverly embedded within a web3 post on teletype.in, designed to mimic legitimate blockchain documentation. Once activated, the malware operates silently in the background, granting attackers persistent and largely undetectable access to the compromised system.
The scope of this campaign extends beyond the initial seven packages. In March 2026, JFrog documented a related cluster, which they termed “GhostClaw,” exhibiting shared techniques and infrastructure with the findings from ReversingLabs. Further analysis by Jamf Threat Labs revealed that the campaign propagates through GitHub repositories masquerading as legitimate developer tools, such as trading bots and SDKs. These repositories are initially populated with benign code and left dormant for extended periods to cultivate user trust before the malicious components are surreptitiously introduced.
Infection Mechanism: Fake Logs and Sudo Phishing
A particularly insidious aspect of this campaign is its method for tricking developers into surrendering their sudo passwords. During the simulated installation, the malicious package generates an error message claiming a lack of write permissions to /usr/local/lib/node_modules—a common global package directory on Linux and macOS systems. The developer is then prompted to enter their root password to resolve this purported issue and complete the installation. This tactic is highly effective because permission errors during npm installations are frequent, making the request for a password appear entirely plausible within that context.
Upon the developer entering and confirming their password, the malware’s downloader executes silently in the background, while the fake log output continues to scroll, masking the true activity. The downloader then connects to a Telegram channel to retrieve the final payload URL and its corresponding decryption key. In one observed instance, these critical details were concealed within a blockchain-themed post on teletype.in. The decrypted RAT payload is subsequently written to disk and executed using the stolen sudo password, granting the attackers full system-level access.
What You Should Do
- Never Enter Sudo Passwords: Legitimate npm packages do not require system-level (sudo or root) access during installation. Treat any such prompt as a critical warning sign.
- Verify Package Authenticity: Before installing any npm package, thoroughly examine the package author’s history and the repository’s activity. Look for established reputations and consistent contributions.
- Utilize Security Scanning Tools: Implement automated security scanning tools in your development workflow to detect suspicious scripts or anomalies within packages and dependencies.
- Enforce Strict Dependency Review: Organizations should establish and enforce rigorous dependency review processes to vet all third-party code introduced into projects.
- Monitor for Anomalous Network Activity: Be vigilant for unusual network connections or processes running in the background after installing new packages, as these could indicate RAT activity.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.


No Comment! Be the first one.