Cyber Security

Ghost Campaign uses 7 npm packages to Steal Crypto Wallets and Credentials

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 3 weeks ago
0 2 4 minutes read
Ghost Campaign uses 7 npm packages to Steal Crypto Wallets and Credentials

Cybersecurity researchers have discovered a new set of malicious npm packages designed to steal cryptocurrency wallets and sensitive data.

The work is followed by ReversingLabs as A ghost campaign. A list of referenced packages, all published by a user named mikilanjillo, is below –

  • react-performance-suite
  • react-state-optimizer-core
  • react-fast-utilsa
  • ai-fast-auto-trader
  • pkgnewfefame1
  • carbon-mac-copy-cloner
  • coinbase-desktop-sdk

“The packages themselves are phishing with a sudo password which is the last step, and they try to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm installation logs,” Lucija Valentić, a software threat researcher at ReversingLabs, said in a report shared with Hacker News.

The referenced Node.js libraries, without pretending that they are downloading additional packages, introduce a random delay to give the impression that the installation process is in progress. At some point during this step, the user is notified that the installation failed due to missing write permissions to “/usr/local/lib/node_modules,” which is the default location for Node.js packages installed globally on Linux and macOS systems.

It also prompts the victim to enter the root or administrator password to continue the installation. If they have to enter a password, the malware then silently detects the downloader of the next stage, which then accesses the Telegram channel to download the URL of the final payment and the key needed to decrypt it.

The attack culminates in the installation of a remote access trojan capable of harvesting data, targeting cryptocurrency wallets, and waiting for further instructions from an external server.

ReversingLabs said the work shares overlap with a batch of work written by JFrog under the name GhostClaw earlier this month, although it is not yet known whether it is the work of the same threat actor or a completely new campaign.

GhostClaw Uses GitHub Repositories and AI Workflows to Deliver macOS Stealer

Jamf Threat Labs, in an analysis published last week, said the GhostClaw campaign uses GitHub repositories and artificial intelligence (AI) development workflows to deliver data theft payloads on macOS.

“These repositories masquerade as legitimate tools, including trading bots, SDKs and developer tools, and are designed to appear trustworthy at first glance,” said security researcher Thijs Xhaflaire. “Several of the identified deposits have accumulated significant interactions, in some cases exceeding hundreds of stars, which further strengthens their perceived validity.”

In this campaign, clusters are initially filled with bad or slow-working code and left unchanged for a long time to build trust between users before introducing malicious components. Specifically, the repositories include a README file that guides developers to use a shell script as part of the installation step.

Exceptions to these repositories include the SKILL.md file, which primarily guides Al-oriented workflows under the guise of installing external skills with AI agents such as OpenClaw. Regardless of which method is used, the shell script starts a multi-stage infection process that ends with the installation of the thorn. The whole sequence of actions is as follows:

  • It detects the host architecture and macOS version, checks if Node.js is already available, and installs the compatible version if needed. Installation takes place in a user-controlled directory to avoid raising any red flags.
  • It invokes “node scripts/setup.js” and “node scripts/postinstall.js,” which causes it to pass a JavaScript payload, allowing it to steal system credentials, deliver the GhostLoader malware by touching the command and control server (C2), and remove traces of malicious activity by wiping the Terminal.

The script also comes with a local variable called “GHOST_PASSWORD_ONLY,” which, if set to zero, exposes a full interactive installation flow, complete with progress indicators and user prompts. If set to 1, the script opens a simplified mode that focuses primarily on authentication collection without any additional user interface features.

Interestingly, at least in some cases, the “postinstall.js” script shows a mild success message, saying that the installation was successful and that users can configure the library in their projects by using the “npx react-state-optimizer” command.

According to a report from cloud security company Panther last month, “react-state-optimizer” is one of many npm packages published by “mikilanjillo,” indicating that the two sets of work are similar –

  • react-query-core-utils
  • react-state-optimizer
  • react-fast-utils
  • react-performance-suite
  • ai-fast-auto-trader
  • carbon-mac-copy-cloner
  • carbon-mac-copies-cloner
  • pkgnewfefame
  • darkness

“The packages contain a CLI ‘setup wizard’ that tricks developers into entering their sudo password to perform ‘system maintenance,'” said security researcher Alessandra Rizzo. “The captured password is then transferred to a theft-proofing payload in favor of browser credentials, cryptocurrency wallets, SSH keys, cloud provider configurations, and developer tool tokens.”

“The stolen data is transported to Telegram bots specific to our partners based on the campaign identifier embedded in each uploader, with information stored in the BSC smart contract and updated without modifying the malware itself.”

The first npm package captures the information and downloads the configuration from the Telegram channel or from the Teletype.in page disguised as blockchain documents to send to the thief. According to Panther, the malware uses a dual revenue model, where the main revenue comes from the theft of information transmitted through our partners’ Telegram channels, and the revenue belongs to the URL redirection organization stored in the Binance Smart Chain (BSC) smart contract.

“This campaign highlights the ongoing transformation in the hacker industry, where distribution methods are moving beyond traditional package registrations into platforms like GitHub and AI-assisted development flows,” Jamf said. “Using a trusted ecosystem and common installation processes, attackers are able to launch malicious code in environments with little friction.”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 3 weeks ago
0 2 4 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Will XRP price break above the symmetrical triangle as the daily MACD turns bullish?

Will XRP price break above the symmetrical triangle as the daily MACD turns bullish?

5 hours ago
Strategic STRC ATM Clears .7B in 48 Hours

Strategic STRC ATM Clears $2.7B in 48 Hours

7 hours ago
Patch Tuesday, April 2026 Edition – Krebs on Security

Patch Tuesday, April 2026 Edition – Krebs on Security

7 hours ago
4 questions to ask before issuing an MDR

4 questions to ask before issuing an MDR

8 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button