npm Ghost Campaign: 7 Malicious Packages Steal Crypto Wallets

The Ghost campaign represents a focused Supply Chain Attack targeting the global JavaScript developer ecosystem. According to research by ReversingLabs, as reported by The Hacker News, security analysts have identified seven malicious packages published to the npm registry by a single user account named “mikilanjillo.” These packages are specifically designed to exfiltrate cryptocurrency wallet data and other sensitive credentials from developer workstations.

The TTP used in this campaign involve the publication of packages that masquerade as legitimate utility or performance optimization libraries. By using names that sound technically credible—such as react-performance-suite and react-state-optimizer-core—the threat actor leverages the inherent trust developers place in the open-source ecosystem. This method of delivery ensures that the malware can bypass some traditional perimeter defenses by being “pulled” into the environment by a trusted user rather than being pushed through a Phishing attempt.

How to detect Ghost campaign npm malware and prevent data theft

The primary objective of these packages is the silent theft of digital assets. Once a developer executes an installation command for one of these libraries, a post-install script or an obfuscated logic gate within the library triggers. The malware then scans the local file system for directories and configuration files associated with popular cryptocurrency wallets and browser extensions.

The Ghost campaign identifies at least seven packages, including:

• react-performance-suite
• react-state-optimizer-core
• react-fast-utilsa
• ai-fast-auto-trader

The inclusion of ai-fast-auto-trader suggests a targeted approach toward developers already interested in financial technology or automated trading platforms, who are more likely to have significant crypto assets on their local machines. The exfiltrated data is typically sent to an external C2 server controlled by the attacker. This specific campaign highlights a growing trend where attackers do not just seek RCE for Lateral Movement within a corporate network, but rather target the developer’s local environment for immediate financial gain through credential harvesting.

Effective npm package security auditing steps

Detecting these threats requires more than just standard IoC matching; it necessitates behavioral analysis of installation scripts and dependency telemetry. Since these packages are often new and have low download counts, they may not immediately trigger alerts in EDR solutions that rely heavily on reputation scores or known-bad signatures.

To defend against the Ghost campaign and similar threats, SOC teams should implement strict npm package security auditing steps. These should include:

• Dependency Manifest Review: Use automated tools to flag any new package that has a low download count or a publisher that does not have a verified history.
• Post-Install Script Disabling: In sensitive environments, consider running npm install --ignore-scripts to prevent the execution of potentially malicious code during the setup phase.
• Lockfile Integrity: Ensure that package-lock.json or yarn.lock files are checked into version control and audited to prevent silent dependency substitution.
• Network Egress Filtering: Block outbound connections to unknown or suspicious domains from developer machines to prevent data exfiltration to a C2 infrastructure.

The Ghost campaign is a stark reminder that the npm registry remains a high-value target for actors looking to compromise the software supply chain. While these seven packages have been identified, the “mikilanjillo” actor may attempt to reappear under different aliases. Organizations must adopt a Zero Trust approach to third-party code, treating every new dependency as a potential entry point for malicious activity.