Fake npm Install Messages Hide RAT Malware in New Open Source Supply Chain Campaign

Through the npm package registry, a new software supply chain campaign is going after developers This article explores packages attack. . Security researchers have called the campaign the "Ghost campaign."

It uses a set of packages that trick developers into giving up their system credentials. As soon as a developer installs one of the bad packages, the attack begins. It says it will download packages, but none of them are real. The names that show up on the screen are picked at random from a hardcoded list.

Even an experienced developer might not be able to tell that something is wrong because of this layer of deception. The last step of the attack drops a RAT that can steal cryptocurrency wallets, collect private information, and get commands from an attacker-controlled server.

This campaign goes beyond the seven packages that were first identified. JFrog wrote about a related cluster called GhostClaw in March 2026. It has similar techniques and infrastructure to what ReversingLabs found.

When installing a npm package, developers should never enter their sudo or root password when asked. Before installing a package, you should check the authors and the history of the repository. Companies should have strict processes for reviewing dependencies, and any password prompts during software installations should be seen as a big red flag. Set ZeroOwl as your preferred source in Google to get more instant updates.

Visit ZeroOwl's official website or ZeroOwl.com/security for more information.

You can get private help by calling the Samaritans at 08457 90 90 90, going to a local branch, or going to www.samaritans.org. In the U.S., you can reach the National Suicide Prevention Lifeline at 1-800-273-8255. If you want to know more about suicide prevention in the UK, you can call the National Suicide Prevention Lifeline or go to www.suicideprevention.org.