CYBERSECURITY researchers have uncovered the Ghost campaign, a new set of malicious npm packages designed to steal cryptocurrency wallets and sensitive data, and track it as a coordinated attack on developer environments. The packages, all published by a user named mikilanjillo, are: react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk.
According to ReversingLabs, the packages phish for sudo passwords to enable the final payload and try to hide their true function by displaying fake npm install logs. The campaign involves a multi-stage infection that prompts for root or administrator credentials, then downloads a next-stage downloader from a Telegram channel to fetch the final payload, culminating in a remote access trojan capable of harvesting data from wallets and other credentials.
ReversingLabs also notes overlaps with GhostClaw activity documented earlier by JFrog, raising questions about whether the campaigns share the same threat actor.