New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware

A new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers.

The attacks, discovered by ReversingLabs, involve malicious packages that mimic legitimate software installation processes while secretly downloading and executing malware designed to steal sensitive data and crypto wallets.

The campaign, dubbed the “Ghost campaign,” began in early February and includes several malicious packages with downloader functionality. These packages attempt to obtain a user’s sudo password during installation, which is later used to execute a remote access trojan (RAT) on the victim’s system.

Fake Installation Logs Used as Cover

Researchers found that the malicious packages displayed fake npm install logs to make the installation process appear legitimate.

The logs included messages about downloading dependencies, installation progress bars and random delays to simulate real installation activity. In reality, none of these actions took place.

At one point during the fake installation, users were prompted to enter their sudo password to fix a supposed installation issue or perform optimization tasks. Once entered, the password was used to execute the final malware stage without the user noticing.

Read more on supply chain attacks: Trivy Supply Chain Attack Expands With New Compromised Docker Images

The final malware payload was downloaded from external sources, including a Telegram channel and hidden web3 content. The payload was then decrypted using a key retrieved online and executed locally using the stolen sudo password.

Malware Designed to Steal Crypto and Sensitive Data

The final-stage malware was a remote access trojan capable of stealing crypto wallets, collecting sensitive information and receiving commands from a command-and-control (C2) server. Some versions included additional files that enhanced data theft capabilities.

Researchers noted that several packages shared similar code structures and techniques, suggesting either a new campaign or an early test run of a larger operation. Similar methods were also observed in other recently reported malicious npm packages.

Researchers recommend several steps to reduce exposure to malicious open-source packages:

Verify package authors and repository history
Monitor installation scripts and unusual prompts
Use automated security scanning tools
Avoid entering sudo passwords during package installation

ReversingLabs said they will continue monitoring npm repositories for similar threats and flag malicious packages as they are discovered.

Source link

What's Hot

Cardano shorts dominate 75% of ADA exposure – Is confidence breaking?

Qingdao Prosecutors Rule Bitcoin Qualifies as Property Under Chinese Criminal Law in Landmark Theft Case

ENI, Noos Protocol Advance AI-Powered Coordination Layer for Decentralized Networks

New Npm ‘Ghost Campaign’ Uses Fake Install Logs to Hide Malware

New DeFi entrant widens field of crypto political campaign funds as elections loom

Infosecurity Europe: AI-Powered Cybercrime Tools Surge on Dark Web

U.S. says it seized about $1 billion in Iranian crypto as pressure campaign expands

SEC sues Texas man over $12.3 million alleged crypto scheme built on fake AI trading bots

Cardano: Will rising DEX volumes bear fruit for ADA?

Bitcoin ETF demand cracks after CLARITY Act vote

How to use a VPN for online security and privacy

Top Insights