Key Findings

• Seven malicious npm packages tracked as "Ghost campaign" designed to steal cryptocurrency wallets and credentials

• Packages use sophisticated social engineering tactics including fake installation logs and sudo password phishing

• Attack chain culminates in remote access trojan capable of harvesting sensitive data and awaiting attacker commands

• Activity shares overlap with GhostClaw campaign, suggesting possible connection between threat actors

• Packages published under username "mikilanjillo" accumulated significant user trust before introducing malicious code

Background

Cybersecurity researchers at ReversingLabs have identified a coordinated campaign distributing malicious npm packages designed to compromise cryptocurrency wallets and steal sensitive credentials. The seven identified packages are react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, and coinbase-desktop-sdk. All were published by a user named mikilanjillo. The campaign employs sophisticated deception techniques to disguise its true functionality while collecting sensitive data from developers who install the compromised libraries.

Deceptive Installation Techniques

The malware employs multiple tactics to trick users during the installation process. The packages display fake npm install logs and insert random delays to create the appearance of legitimate installation activity. At a critical point, users encounter a fabricated error message claiming missing write permissions to "/usr/local/lib/node_modules," the default Node.js installation directory on Linux and macOS systems. The packages then prompt users to enter their root or administrator password to continue. Should victims comply, the malware silently retrieves the next-stage downloader without their knowledge.

Multi-Stage Infection Process

Once a user provides their password, the attack unfolds in predetermined stages. The next-stage downloader contacts a Telegram channel to retrieve both the URL for the final payload and the decryption key needed to unlock it. This approach keeps the attack infrastructure distributed and difficult to track. The final stage deploys a remote access trojan capable of harvesting arbitrary data, targeting cryptocurrency wallets specifically, and remaining dormant while awaiting instructions from an external command-and-control server. The attacker maintains persistent access and can execute additional malicious commands as needed.

Connection to GhostClaw Campaign

ReversingLabs noted significant overlaps between this Ghost campaign and activity documented by JFrog under the name GhostClaw earlier this month. The GhostClaw campaign similarly targets macOS systems and uses GitHub repositories impersonating legitimate tools including trading bots, SDKs, and developer utilities. These repositories accumulated hundreds of stars and built user trust before introducing malicious code. Both campaigns share the methodology of initial benign code followed by a gradual introduction of malicious components. However, researchers have not yet confirmed whether these represent the same threat actor operating under different names or entirely separate campaigns with similar tactics.

macOS-Specific Attack Variants

The GhostClaw operations employ additional techniques tailored to macOS systems. Repositories include README files instructing developers to execute shell scripts during installation. Some variants feature SKILL.md files targeting AI-oriented workflows through fake AI agent installations like OpenClaw. The shell scripts identify host architecture and macOS version, check for Node.js presence, and install compatible versions in user-controlled directories to avoid detection. The infection then transitions to JavaScript payloads through "setup.js" and "postinstall.js" scripts. The attackers include an environment variable called "GHOST_PASSWORD_ONLY" that switches between full interactive installation flows with progress indicators or simplified credential-collection-only modes. Notably, the postinstall script displays a benign success message directing users to configure the library normally, masking the malicious activity that has already occurred.

Expanded Package List

Investigation revealed that "mikilanjillo" published numerous other malicious packages beyond the initial seven, including react-query-core-utils, react-state-optimizer, react-fast-utils, carbon-mac-copy-cloner, carbon-mac-copys-cloner, pkgnewfefame, and darkslash. These packages employ similar CLI setup wizards designed to socially engineer developers into providing sudo passwords. The extensive package list and consistent naming patterns suggest a deliberate campaign to cast wide nets across the npm ecosystem and compromise as many developers as possible.

Sources

• https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html

• https://x.com/Dinosn/status/2036418383382561278

• https://www.reddit.com/r/pwnhub/comments/1s2dlpd/ghost_campaign_uses_7_npm_packages_to_steal/

• https://www.infosecurity-magazine.com/news/npm-ghost-campaign-fake-install/