A sophisticated software supply chain attack has emerged, targeting developers through the npm package registry. This campaign employs fake installation messages to mask malicious activities, posing significant risks to developer systems.
The Ghost Campaign Unveiled
Security researchers have identified this campaign, dubbed the ‘Ghost campaign,’ which commenced in early February 2026. It involves npm packages designed to trick developers into divulging system credentials while secretly deploying a remote access trojan (RAT).
Upon installing one of these packages, developers see what appears to be a typical npm installation. The process includes log messages, a progress bar, and deliberate delays, creating an illusion of legitimacy. However, the packages listed for download do not exist; their names are randomly generated from a hardcoded list, making it challenging even for seasoned developers to detect the deception.
Technical Insights and Package Details
ReversingLabs analysts discovered the malicious activities tied to seven npm packages, all published by a user named ‘mikilanjillo.’ The flagged packages include ‘react-performance-suite,’ ‘react-state-optimizer-core,’ ‘react-fast-utilsa,’ ‘ai-fast-auto-trader,’ ‘pkgnewfefame1,’ ‘carbon-mac-copy-cloner,’ and ‘coinbase-desktop-sdk.’
The campaign’s innovative use of fake installation logs represents a novel approach, highlighting a shift in tactics by threat actors to avoid detection in open-source environments. The final stage of the attack involves a RAT designed to steal cryptocurrency wallets and sensitive data, executed with remote commands from an attacker-controlled server.
Persistent Threat and Protective Measures
The campaign’s scope extends beyond the initially identified packages. In March 2026, JFrog documented a similar campaign named GhostClaw, sharing techniques and infrastructure with the Ghost campaign. Analysis by Jamf Threat Labs revealed the spread of this threat through GitHub repositories masked as legitimate developer tools.
This campaign’s most deceptive tactic involves tricking developers into entering their sudo password. During installation, fake error messages prompt users to provide root access, making the request appear routine. Once the password is entered, the malware downloader operates unnoticed, retrieving payload URLs and decryption keys from a Telegram channel.
Developers are urged never to enter sudo passwords when prompted by npm packages. They should verify package authors and repository histories and utilize automated security scanning tools to detect suspicious scripts. Organizations should enforce stringent dependency review workflows and treat password prompts during software installs as red flags.
Staying vigilant and informed about these threats is crucial as cyber attackers continue to evolve their methods. By implementing robust security measures, developers and organizations can better protect their systems from such sophisticated attacks.
