Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data.
The activity is being tracked by ReversingLabs as the Ghost campaign. The list of identified packages, all published by a user named mikilanjillo, is below –
- react-performance-suite
- react-state-optimizer-core
- react-fast-utilsa
- ai-fast-auto-trader
- pkgnewfefame1
- carbon-mac-copy-cloner
- coinbase-desktop-sdk
“The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs,” Lucija Valentić, software threat researcher at ReversingLabs, said in a report shared with The Hacker News.
The identified Node.js libraries, besides falsely claiming to download additional packages, insert random delays to give the impression that the installation process is underway. At one point during this step, the user is alerted that the installation is running into an error due to missing write permissions to “/usr/local/lib/node_modules,” which is the default location for globally installed Node.js packages on Linux and macOS systems.
It also instructs the victim to enter their root or administrator password to continue with the installation. Should they enter the password, the malware then silently retrieves the next-stage downloader, which then reaches out to a Telegram channel to fetch the URL for the final payload and the key required to decrypt it.
The attack culminates with the deployment of a remote access trojan that’s capable of harvesting data, targeting cryptocurrency wallets, and awaiting further instructions from an external server.
ReversingLabs said the activity shares overlaps with an activity cluster documented by JFrog under the name GhostClaw earlier this month, although it’s currently not known if it’s the work of the same threat actor or an entirely new campaign.
GhostClaw Uses GitHub Repositories and AI Workflows to Deliver macOS Stealer
Jamf Threat Labs, in an analysis published last week, said the GhostClaw campaign uses GitHub repositories and artificial intelligence (AI)-assisted development workflows to deliver credential-stealing payloads on macOS.
“These repositories impersonate legitimate tools, including trading bots, SDKs and developer utilities, and are designed to appear credible at a glance,” security researcher Thijs Xhaflaire said. “Several of the identified repositories have accumulated significant engagement, in some cases exceeding hundreds of stars, further reinforcing their perceived legitimacy.”
In this campaign, the repositories are initially populated with benign or partially functional code and left unchanged for an extended period of time to build trust among users before introducing malicious components. Specifically, the repositories feature a README file that guides developers to execute a shell script as part of the installation step.
A variant of these repositories feature a SKILL.md file, primarily targeting Al-oriented workflows under the guise of installing external skills through AI agents like OpenClaw. Regardless of the method used, the shell script initiates a multi-stage infection process that ends with the deployment of a stealer. The entire sequence of actions is as follows –
- It identifies the host architecture and macOS version, checks if Node.js is already present, and installs a compatible version if required. The installation takes place in a user-controlled directory to avoid raising any red flags.
- It invokes “node scripts/setup.js” and “node scripts/postinstall.js,” causing the execution to transition to JavaScript payloads, enabling it steal system credentials, deliver the GhostLoader malware by contacting a command-and-control (C2) server, and remove traces of malicious activity by clearing the Terminal.
The script also comes with an environment variable named “GHOST_PASSWORD_ONLY,” which, when set to zero, presents a full interactive installation flow, complete with progress indicators and user prompts. If it’s set to 1, the script launches a simplified execution path focused primarily on credential collection without any extra user interface elements.
Interestingly, in at least some cases, the “postinstall.js” script displays a benign success message, stating the installation was successful and that users can configure the library in their projects by running the “npx react-state-optimizer” command.
According to a report from cloud security company Panther last month, “react-state-optimizer” is one of several other npm packages published by “mikilanjillo,” indicating that the two clusters of activity are one and the same –
- react-query-core-utils
- react-state-optimizer
- react-fast-utils
- react-performance-suite
- ai-fast-auto-trader
- carbon-mac-copy-cloner
- carbon-mac-copys-cloner
- pkgnewfefame
- darkslash
“The packages contain a CLI ‘setup wizard’ that tricks developers into entering their sudo password to perform ‘system optimizations,'” security researcher Alessandra Rizzo said. “The captured password is then passed to a comprehensive credential stealer payload that harvests browser credentials, cryptocurrency wallets, SSH keys, cloud provider configurations, and developer tool tokens.”
“Stolen data is routed to partner-specific Telegram bots based on a campaign identifier embedded in each loader, with credentials stored in the BSC smart contract and updated without modifying the malware itself.”
The initial npm package captures credentials and fetches configuration from either a Telegram channel or a Teletype.in page that’s disguised as blockchain documentation to deploy the stealer. Per Panther, the malware implements a dual revenue model, where the primary income is from credential theft relayed through partner Telegram channels, and the secondary income is through affiliate URL redirects stored in a separate Binance Smart Chain (BSC) smart contract.
“This campaign highlights a continued shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows,” Jamf said. “By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.”
