Ghost Campaign Deploys 7 Malicious npm Packages to Steal Crypto Wallets and Credentials
Cybersecurity researchers have recently identified a series of malicious npm packages designed to compromise cryptocurrency wallets and sensitive user data. This alarming development, tracked by ReversingLabs as the Ghost campaign, highlights the evolving tactics employed by cybercriminals to exploit trusted software ecosystems.
Overview of the Ghost Campaign
The Ghost campaign has been linked to a user named “mikilanjillo,” who has published several malicious packages on the npm registry. The identified packages include:
- react-performance-suite
- react-state-optimizer-core
- react-fast-utilsa
- ai-fast-auto-trader
- pkgnewfefame1
- carbon-mac-copy-cloner
- coinbase-desktop-sdk
Lucija Valentić, a software threat researcher at ReversingLabs, noted that these packages employ sophisticated methods to conceal their true functionality. They simulate npm installation logs to mislead users while phishing for sudo passwords necessary for executing the final stage of the attack.
Technical Mechanisms of the Attack
The malicious Node.js libraries not only falsely claim to download additional packages but also introduce random delays to create the illusion of a legitimate installation process. During this phase, users receive notifications about installation errors due to missing write permissions in the default directory for globally installed Node.js packages on Linux and macOS systems.
Victims are prompted to enter their root or administrator passwords to proceed. If they comply, the malware silently retrieves a downloader that connects to a Telegram channel to obtain the final payload URL and the decryption key. This culminates in the deployment of a remote access trojan capable of harvesting sensitive data, specifically targeting cryptocurrency wallets, while awaiting further instructions from an external command-and-control server.
Connections to GhostClaw
ReversingLabs has noted that the Ghost campaign shares similarities with another activity cluster documented by JFrog, referred to as GhostClaw. Although it remains unclear whether both campaigns originate from the same threat actor, the overlap in tactics raises concerns about the broader implications for cybersecurity.
GhostClaw’s Approach
According to Jamf Threat Labs, the GhostClaw campaign leverages GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads targeting macOS systems. These repositories often impersonate legitimate tools, such as trading bots and developer utilities, to appear credible.
Thijs Xhaflaire, a security researcher, indicated that many of these repositories have garnered significant engagement, sometimes exceeding hundreds of stars, which further enhances their perceived legitimacy. Initially, the repositories contain benign or partially functional code, allowing them to build trust among users before introducing malicious components.
The installation process typically involves executing a shell script that initiates a multi-stage infection, ultimately leading to the deployment of a stealer. The sequence of actions includes:
- Identifying the host architecture and macOS version, and installing a compatible Node.js version if necessary.
- Invoking scripts that transition execution to JavaScript payloads, enabling the theft of system credentials and the delivery of the GhostLoader malware.
Credential Theft and Data Exfiltration
The malicious packages feature a command-line interface (CLI) “setup wizard” that deceives developers into entering their sudo passwords under the guise of performing system optimizations. Alessandra Rizzo, a security researcher, explained that the captured passwords are then utilized by a comprehensive credential-stealing payload, which harvests various sensitive data, including browser credentials, cryptocurrency wallets, SSH keys, and cloud provider configurations.
Stolen data is routed to partner-specific Telegram bots, with credentials stored in a Binance Smart Chain (BSC) smart contract. This dual revenue model allows attackers to profit from credential theft while also implementing affiliate URL redirects.
Evolving Threat Landscape
The emergence of the Ghost campaign underscores a significant shift in attacker methodologies. Cybercriminals are increasingly extending their distribution methods beyond traditional package registries, utilizing platforms like GitHub and AI-assisted workflows to introduce malicious code into trusted environments. This trend emphasizes the need for heightened vigilance among developers and organizations that rely on open-source software.
As the cybersecurity landscape continues to evolve, the implications of such campaigns are profound. Organizations must remain proactive in their security measures, ensuring that they are equipped to identify and mitigate threats posed by sophisticated cybercriminals.
According to publicly available thehackernews.com reporting, the Ghost campaign exemplifies the challenges faced by the cybersecurity community in combating increasingly sophisticated threats.
For the latest cybersecurity developments, threat intelligence and breaking updates from across the Middle East: Middle East
