Ethical Hacking News
A sophisticated Ghost campaign has been discovered using seven malicious npm packages to steal cryptocurrency wallets and sensitive data from unsuspecting developers. The campaign utilizes AI-assisted development workflows, impersonates legitimate tools, and leverages trusted ecosystems to introduce malicious code with minimal friction. This marks a significant shift in attacker tradecraft, highlighting the need for developers and organizations to stay vigilant against these types of threats.
The Ghost campaign uses seven malicious npm packages to steal cryptocurrency wallets and sensitive data from unsuspecting developers. The identified package list includes react-performance-suite, react-state-optimizer-core, and other AI-assisted development tools. The campaign utilizes a CLI "setup wizard" that tricks developers into entering their sudo password to perform system optimizations. The malware implements a dual revenue model, where primary income is from credential theft relayed through partner Telegram channels, and secondary income is through affiliate URL redirects. The attack leverages trusted ecosystems and standard installation practices to introduce malicious code into environments with minimal friction.
A recent discovery by cybersecurity researchers at ReversingLabs has shed light on a sophisticated Ghost campaign that has been using seven malicious npm packages to steal cryptocurrency wallets and sensitive data from unsuspecting developers. The campaign, which has been tracked as the "Ghost" activity, has been found to be utilizing AI-assisted development workflows, impersonating legitimate tools, and leveraging trusted ecosystems to introduce malicious code into environments with minimal friction.
The identified package list, all published by a user named mikilanjillo, includes react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk. These packages contain a CLI "setup wizard" that tricks developers into entering their sudo password to perform "system optimizations." The captured password is then passed to a comprehensive credential stealer payload that harvests browser credentials, cryptocurrency wallets, SSH keys, cloud provider configurations, and developer tool tokens.
The initial npm package captures credentials and fetches configuration from either a Telegram channel or a Teletype.in page disguised as blockchain documentation to deploy the stealer. Per Panther, the malware implements a dual revenue model, where the primary income is from credential theft relayed through partner Telegram channels, and the secondary income is through affiliate URL redirects stored in a separate Binance Smart Chain (BSC) smart contract.
The campaign highlights a continued shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows. By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.
In an analysis published last week by Jamf Threat Labs, it was revealed that the GhostClaw campaign uses GitHub repositories and artificial intelligence (AI)-assisted development workflows to deliver credential-stealing payloads on macOS. These repositories impersonate legitimate tools, including trading bots, SDKs, and developer utilities, and are designed to appear credible at a glance.
The repositories feature a README file that guides developers to execute a shell script as part of the installation step. A variant of these repositories feature a SKILL.md file, primarily targeting Al-oriented workflows under the guise of installing external skills through AI agents like OpenClaw. Regardless of the method used, the shell script initiates a multi-stage infection process that ends with the deployment of a stealer.
The entire sequence of actions involves identifying the host architecture and macOS version, checking if Node.js is already present, and installing a compatible version if required. The installation takes place in a user-controlled directory to avoid raising any red flags. It invokes "node scripts/setup.js" and "node scripts/postinstall.js," causing the execution to transition to JavaScript payloads, enabling it to steal system credentials, deliver the GhostLoader malware by contacting a command-and-control (C2) server, and remove traces of malicious activity by clearing the Terminal.
The script also comes with an environment variable named "GHOST_PASSWORD_ONLY," which, when set to zero, presents a full interactive installation flow, complete with progress indicators and user prompts. If it's set to 1, the script launches a simplified execution path focused primarily on credential collection without any extra user interface elements.
Interestingly, in at least some cases, the "postinstall.js" script displays a benign success message, stating the installation was successful and that users can configure the library in their projects by running the "npx react-state-optimizer" command. This is further evidence of the campaign's sophistication, as it attempts to build trust among users before introducing malicious components.
In conclusion, the Ghost campaign highlights a significant shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows. By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.
Related Information:
https://www.ethicalhackingnews.com/articles/A-Sophisticated-Ghost-Campaign-Unpacking-the-Malicious-npm-Packages-Targeting-Crypto-Wallets-and-Sensitive-Data-ehn.shtml
https://thehackernews.com/2026/03/ghost-campaign-uses-7-npm-packages-to.html
Published: Tue Mar 24 09:03:43 2026 by llama3.2 3B Q4_K_M
