Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ghost campaign malicious npm package operation

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The Ghost campaign is pushing malicious npm packages that steal sudo/root credentials and enable wallet-targeting payloads, raising risk for developers using the Node.js ecosystem. The packages published by mikilanjillo use fake install logs and bogus permission errors to trick users into entering privileged passwords. Those credentials are then used to fetch staged payloads through Telegram, ending in a remote access trojan that can harvest data. The operation matters because it turns a trusted package-install workflow into a credential-theft and malware-delivery channel.

Related Happenings

TrapDoor cross-ecosystem supply-chain campaign

Campaign
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** supply-chain campaign has expanded across **npm, PyPI, and Crates.io**, using **34+ malicious packages** to steal developer secrets and credentials. The operation...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Laravel-Lang PHP package supply-chain credential-stealing campaign

Campaign
First: 23.05.2026 12:51 Last: 23.05.2026 12:51 Sources 1

About this happening: A **software supply-chain campaign** hit **multiple Laravel-Lang PHP packages**, putting consumers at risk of **credential theft** through tampered release tags. Malicious version...

Open Happening

Actions-cool/issues-helper hit by network compromise

Incident
First: 19.05.2026 08:28 Last: 19.05.2026 08:28 Sources 1

About this happening: The **actions-cool/issues-helper** GitHub Actions supply-chain compromise let malicious tags run in **CI/CD pipelines**, causing **credential theft** and downstream account risk....

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Timeline

  1. 24.03.2026 14:00 2 articles · 2mo ago

    Ghost campaign malicious npm packages disclosed

    Initial Disclosure

    ReversingLabs tracks Ghost as a campaign in which 7 malicious npm packages published by mikilanjillo use fake install logs and a bogus write-permissions error to phish for sudo/root credentials, then retrieve a second-stage downloader through Telegram and deploy a remote access trojan that targets cryptocurrency wallets and other sensitive data.

    Show sources
    Open in new tab