Cybersecurity researchers have uncovered a new set of malicious npm packages designed to steal cryptocurrency wallets and sensitive data.
Specifically, ReversingLabs tracks this activity as the Ghost campaign by GhostClaw. The list of identified packages, all published by a user named mikilanjillo, appears below –
- react-performance-suite
- react-state-optimizer-core
- react-fast-utilsa
- ai-fast-auto-trader
- pkgnewfefame1
- carbon-mac-copy-cloner
- coinbase-desktop-sdk
“The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs,” Lucija Valentić, software threat researcher at ReversingLabs, said in a report.
How the Attack Chain Works
Notably, these Node.js libraries falsely claim to download additional packages and insert random delays to simulate a legitimate installation process.
During execution, the script alerts the user about an error caused by missing write permissions to “/usr/local/lib/node_modules,” the default location for globally installed Node.js packages on Linux and macOS systems.
Subsequently, it instructs the victim to enter their root or administrator password to proceed. If the victim complies, the malware silently retrieves a next-stage downloader, which then connects to a Telegram channel to fetch the URL for the final payload along with the decryption key.
Ultimately, the attack deploys a remote access trojan (RAT) capable of harvesting data, targeting cryptocurrency wallets, and receiving further instructions from an external server.
Links to GhostClaw and Expanding Threat Activity
Furthermore, ReversingLabs notes overlaps between this campaign and an activity cluster that JFrog documented earlier this month under the name GhostClaw. However, researchers have not yet confirmed whether the same threat actor operates both campaigns.
Meanwhile, Jamf Threat Labs reported that the GhostClaw campaign leverages GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads on macOS.
“These repositories impersonate legitimate tools, including trading bots, SDKs and developer utilities, and are designed to appear credible at a glance,” security researcher Thijs Xhaflaire said. “Several of the identified repositories have accumulated significant engagement, in some cases exceeding hundreds of stars, further reinforcing their perceived legitimacy.”
In particular, attackers initially populate repositories with benign or partially functional code and leave them unchanged for extended periods to build trust among developers. Later, they introduce malicious components.
Typically, these repositories include a README file that instructs developers to execute a shell script during installation.
Additionally, some variants include a SKILL.md file, targeting AI-oriented workflows under the pretense of installing external skills through AI agents like OpenClaw.
Regardless of delivery method, the shell script launches a multi-stage infection process that ultimately deploys a credential stealer.
Multi-Stage Infection Breakdown
The attack sequence unfolds as follows –
- First, the script identifies the host architecture and macOS version, checks for Node.js, and installs a compatible version if necessary. It performs installation in a user-controlled directory to avoid suspicion.
- Next, it invokes “node scripts/setup.js” and “node scripts/postinstall.js,” transitioning execution to JavaScript payloads that steal system credentials, deploy GhostLoader malware via a command-and-control (C2) server, and erase traces by clearing the Terminal.
- Moreover, the script includes an environment variable named “GHOST_PASSWORD_ONLY”. When set to zero, it presents a full interactive installation flow with progress indicators. When set to 1, it executes a simplified path focused solely on credential harvesting.
Interestingly, in some cases, the “postinstall.js” script displays a benign success message, claiming the installation succeeded and instructing users to run “npx react-state-optimizer” to configure the library.
According to a report from cloud security company Panther, “react-state-optimizer” belongs to a broader set of npm packages published by “mikilanjillo,” suggesting both activity clusters connect –
- react-query-core-utils
- react-state-optimizer
- react-fast-utils
- react-performance-suite
- ai-fast-auto-trader
- carbon-mac-copy-cloner
- carbon-mac-copys-cloner
- pkgnewfefame
- darkslash
“The packages contain a CLI ‘setup wizard’ that tricks developers into entering their sudo password to perform ‘system optimizations,'” security researcher Alessandra Rizzo said. “The captured password is then passed to a comprehensive credential stealer payload that harvests browser credentials, cryptocurrency wallets, SSH keys, cloud provider configurations, and developer tool tokens.”
“Stolen data is routed to partner-specific Telegram bots based on a campaign identifier embedded in each loader, with credentials stored in the BSC smart contract and updated without modifying the malware itself.”
Dual Monetization Strategy and Infrastructure
Notably, the initial npm package captures credentials and retrieves configuration data from either a Telegram channel or a Teletype.in page disguised as blockchain documentation.
From there, attackers deploy the stealer and implement a dual revenue model:
- Primarily, they profit from credential theft distributed through partner Telegram channels
- Secondarily, they generate income via affiliate URL redirects stored in a Binance Smart Chain (BSC) smart contract
Finally, Jamf emphasizes a broader shift in attacker strategies:
“This campaign highlights a continued shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows,” Jamf said. “By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.”
Source: TheHackerNews
Read more at Impreza News
