Cybersecurity researchers have identified a malicious campaign named Ghost that uses deceptive npm packages to steal cryptocurrency wallets and sensitive user data. These packages, often masquerading as legitimate developer tools or AI utilities, trick users into providing administrative passwords to execute a multi-stage infection process on macOS and Linux systems.
A new series of malicious npm packages has been discovered targeting developers with the intent to harvest sensitive information and cryptocurrency assets. Tracked as the Ghost campaign by ReversingLabs, these libraries are published under various names like react-performance-suite and coinbase-desktop-sdk to appear authentic. To avoid detection, the malware displays fake installation logs and introduces random delays to mimic a standard setup process. This sophisticated social engineering tactic is designed to lower the victim's guard before the malicious phase begins.
The attack relies on phishing for elevated privileges by claiming that the installation has encountered an error due to missing write permissions in the default node modules directory. The user is then prompted to enter their root or administrator password to proceed. Once the password is provided, the malware silently fetches a secondary downloader. This component communicates with a Telegram channel to retrieve a decryption key and the URL for the final payload, allowing the infection to progress without further user interaction.
The campaign culminates in the deployment of a remote access trojan that targets cryptocurrency wallets and gathers system data while awaiting commands from an external server. Recent findings from Jamf Threat Labs suggest that the actors also utilize GitHub repositories and AI-assisted workflows to distribute their stealer. By populating these repositories with benign code and accumulating stars, the attackers build a false sense of legitimacy over time before introducing the malicious scripts.
Technical analysis reveals that the infection scripts are tailored for macOS, checking for specific host architectures and Node.js versions. The malware can operate in different modes depending on environment variables, either showing a full interactive installation flow to maintain the ruse or a simplified path focused strictly on credential collection. In many instances, the process ends by displaying a success message, advising the user on how to configure the fake library to ensure they remain unaware of the breach.
While ReversingLabs notes overlaps between this activity and a cluster previously identified as GhostClaw, it remains unclear if these campaigns are the work of a single entity. The use of deceptive README files and specialized documents like SKILL.md specifically targets users of AI agents and modern development frameworks. This evolution in tactics highlights a growing trend of threat actors leveraging the trust inherent in open-source ecosystems and automated development tools to compromise high-value targets.
Source: https://panther.com/blog/phantom-menace-the-ghost-loader-infostealer-campaign