Hackers Use Fake NPM Install Alerts To Distribute RAT Malware In Open Source Ecosystem

Researchers at ReversingLabs have found a new operation This article explores attack ghost campaign. . The "Ghost campaign" is the name of this new wave of attacks that uses fake npm installation alerts to get developers to give up their sudo passwords.

Using the stolen sudo credentials, the hacker then runs the Remote Access Trojan (RAT). The last piece of malware is a very powerful RAT that can steal cryptocurrency wallets and sensitive data. It also stays in touch with a command-and-control server to get more instructions. Organizations should keep an eye on their development environments for any strange behavior.

In March, JFrog researchers found a similar bad package called openclawai that has some technical similarities to the Ghost campaign.

Some of the early packages had console debug messages in them, which supports the idea that threat actors were actively testing and improving their phishing methods before launching a larger attack. The Ghost campaign, which was first seen in early February 2026, started with seven harmful packages that a single npm user named mikilanjillo published. These packages were made to hide their true purpose by tricking people into giving them higher system privileges.

The following Indicators of Compromise (IoCs) have been found in connection with the Ghost campaign. They will help security teams find and stop these bad packages. For most of the packages that have been found, the download URL and decryption key are stored on a Telegram channel where the key and final stage URL can be downloaded.

Once the malware has downloaded the encrypted payload, it uses a hardcoded string and the key it got to decrypt it.