New npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware
ReversingLabs has uncovered a malicious npm campaign dubbed 'Ghost' that uses fake installation logs to conceal a remote access trojan targeting crypto wallets and sensitive data.
Security researchers at ReversingLabs have identified a new malicious npm campaign, dubbed the 'Ghost campaign,' that uses fake installation logs to conceal malware activity. The campaign, which began in early February, involves malicious packages that mimic legitimate software installation processes while secretly downloading and executing a remote access trojan (RAT) designed to steal sensitive data and cryptocurrency wallets.
The malicious packages display fake npm install logs to make the installation process appear legitimate. These logs include messages about downloading dependencies, installation progress bars, and random delays to simulate real installation activity. In reality, none of these actions take place. At one point during the fake installation, users are prompted to enter their sudo password to fix a supposed installation issue or perform optimization tasks. Once entered, the password is used to execute the final malware stage without the user noticing.
The final malware payload is downloaded from external sources, including a Telegram channel and hidden web3 content. The payloads. The payload is then decrypted using a key retrieved online and executed locally using the stolen sudo password. The final-stage malware is a remote access trojan capable of stealing crypto wallets, collecting sensitive information, and receiving commands from a command-and-control (C2) server. Some versions include additional files that enhance data theft capabilities.
Researchers noted that several packages share similar code structures and techniques, suggesting either a new campaign or an early test run of a larger operation. Similar methods have also been observed in other recently reported malicious npm packages. The campaign targets npm users, a community that has been increasingly targeted by supply-chain attacks.
To reduce exposure to malicious open-source packages, researchers recommend verifying package authors and repository history, monitoring installation scripts and unusual prompts, using automated security scanning tools, and avoiding entering sudo passwords during package installation. ReversingLabs said they will continue monitoring npm repositories for similar threats and flag malicious packages as they are discovered.
The Ghost campaign highlights the evolving sophistication of supply-chain attacks, where attackers are not only embedding malware in packages but also actively deceiving users during the installation process. The use of fake installation logs and sudo password harvesting represents a new level of social engineering in the npm ecosystem, which has seen a surge in malicious activity in recent months.