A new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers.
The attacks, discovered by ReversingLabs, involve malicious packages that mimic legitimate software installation processes while secretly downloading and executing malware designed to steal sensitive data and crypto wallets.
The campaign, dubbed the “Ghost campaign,” began in early February and includes several malicious packages with downloader functionality. These packages attempt to obtain a user’s sudo password during installation, which is later used to execute a remote access trojan (RAT) on the victim’s system.
Fake Installation Logs Used as Cover
Researchers found that the malicious packages displayed fake npm install logs to make the installation process appear legitimate.
The logs included messages about downloading dependencies, installation progress bars and random delays to simulate real installation activity. In reality, none of these actions took place.
At one point during the fake installation, users were prompted to enter their sudo password to fix a supposed installation issue or perform optimization tasks. Once entered, the password was used to execute the final malware stage without the user noticing.
Read more on supply chain attacks: Trivy Supply Chain Attack Expands With New Compromised Docker Images
The final malware payload was downloaded from external sources, including a Telegram channel and hidden web3 content. The payload was then decrypted using a key retrieved online and executed locally using the stolen sudo password.
Malware Designed to Steal Crypto and Sensitive Data
The final-stage malware was a remote access trojan capable of stealing crypto wallets, collecting sensitive information and receiving commands from a command-and-control (C2) server. Some versions included additional files that enhanced data theft capabilities.
Researchers noted that several packages shared similar code structures and techniques, suggesting either a new campaign or an early test run of a larger operation. Similar methods were also observed in other recently reported malicious npm packages.
Researchers recommend several steps to reduce exposure to malicious open-source packages:
-
Verify package authors and repository history
-
Monitor installation scripts and unusual prompts
-
Use automated security scanning tools
-
Avoid entering sudo passwords during package installation
ReversingLabs said they will continue monitoring npm repositories for similar threats and flag malicious packages as they are discovered.
