Cybersecurity researchers have uncovered a new threat campaign targeting developers through malicious npm packages designed to steal cryptocurrency wallets and sensitive system data.
The operation, tracked as the Ghost campaign by ReversingLabs, highlights the growing risks within open-source ecosystems where attackers exploit developer trust.
Malicious Packages Masquerading as Legitimate Tools
The campaign involves several npm packages published under a single user account, including:
- react-performance-suite
- react-state-optimizer-core
- react-fast-utilsa
- ai-fast-auto-trader
- pkgnewfefame1
- carbon-mac-copy-cloner
- coinbase-desktop-sdk
These packages appear legitimate at first glance but are engineered to deceive developers during installation.
Fake Installation Process Used to Steal Credentials
Instead of performing their claimed functionality, these packages simulate a normal installation process by displaying fake logs and delays. During installation, users are shown an error message indicating insufficient permissions for system directories.
Victims are then prompted to enter their administrator or sudo password to continue. Once entered, the malware silently proceeds to the next stage of execution.
Multi-Stage Attack Leading to Remote Access Trojan
After capturing credentials, the malware downloads additional components from external sources. It communicates with a Telegram channel to retrieve the final payload and decryption key.
The attack ultimately installs a remote access trojan (RAT) capable of:
- Stealing browser-stored credentials
- Accessing cryptocurrency wallets
- Collecting SSH keys and cloud configurations
- Executing commands from a remote server
Links to Broader Threat Campaigns
Security researchers believe the activity shares similarities with another campaign known as GhostClaw, although it is unclear whether both operations are conducted by the same threat group.
Further analysis by Jamf Threat Labs revealed that attackers also use GitHub repositories to distribute malicious scripts, particularly targeting macOS users.
These repositories often appear trustworthy, featuring realistic documentation and even gaining community engagement to build credibility before introducing malicious code.
Advanced Techniques and AI-Assisted Delivery
Attackers are increasingly leveraging AI-assisted workflows and development tools to spread malware. Some repositories include instructions that guide users to execute scripts as part of setup processes.
These scripts perform system checks, install dependencies like Node.js if needed, and execute hidden malicious payloads. In some cases, they erase traces of execution to avoid detection.
Additionally, environment variables are used to control the attack flow, allowing the malware to operate either as a full interactive installer or a silent credential-harvesting tool.
Data Exfiltration and Monetization Strategy
Stolen data is transmitted to attacker-controlled infrastructure, including Telegram bots. In some cases, attackers use blockchain-based systems to manage stolen data and affiliate operations.
This campaign demonstrates a dual monetization approach:
- Primary revenue from stolen credentials and wallet data
- Secondary revenue through malicious affiliate redirects
Growing Threat to Developers
Security experts warn that this campaign reflects a broader shift in cybercriminal tactics. By exploiting trusted platforms like npm, GitHub, and AI development workflows, attackers can infiltrate systems with minimal resistance.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
