Ghost Campaign Targets Cryptocurrency Users with Malicious npm Packages
Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data. The activity is being tracked by ReversingLabs as the Ghost campaign.
Identified Malicious Packages
- react-performance-suite
- react-state-optimizer-core
- react-fast-utilsa
- ai-fast-auto-trader
- pkgnewfefame1
- Note: This package name appears to be a typo or error in the original report.
- carbon-mac-copy-cloner
- coinbase-desktop-sdk
The packages are published by a user named mikilanjillo and are designed to steal sensitive data through sophisticated phishing techniques. According to Lucija Valentić, software threat researcher at ReversingLabs, the packages attempt to hide their real functionality and avoid detection.
Attack Mechanism
The identified Node.js libraries falsely claim to download additional packages and insert random delays to give the impression that the installation process is underway. At one point during this step, the user is alerted that the installation is running into an error due to missing write permissions to /usr/local/lib/node_modules, which prompts them to enter their root or administrator password.
Once the password is entered, the malware retrieves a next-stage downloader that reaches out to a Telegram channel for further instructions. The attack culminates with the deployment of a remote access trojan (RAT) capable of harvesting data and targeting cryptocurrency wallets.
Connection to GhostClaw Campaign
The Ghost campaign shares similarities with an activity cluster documented by JFrog under the name GhostClaw earlier this month. Both campaigns use GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads on macOS.
GitHub Repository Tactics
- Impersonate legitimate tools, including trading bots, SDKs, and developer utilities.
- Build trust among users by initially populating repositories with benign or partially functional code.
- Instruct developers to execute a shell script as part of the installation step.
The entire sequence of actions includes identifying the host architecture and macOS version, checking for Node.js presence, installing a compatible version if required, and initiating a multi-stage infection process that ends with the deployment of a stealer. The script also comes with an environment variable named GHOST_PASSWORD_ONLY, which controls the execution path based on its value.
Conclusion
The Ghost campaign highlights a continued shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows. By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.
元記事: https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html