Find notable cyber news and cases, enriched with sources, timelines, and signals.

Ghost campaign malicious npm supply-chain operation

Campaign
First reported
Last updated
Happening score
H score 38
1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm supply-chain campaign dubbed "Ghost campaign" is using fake installation logs to conceal malware delivery, increasing the chance that package installers execute hidden payloads. The operation began in early February and relies on malicious packages with downloader functionality. Those packages prompt for a user's sudo password during installation and then use it to run a remote access trojan (RAT). The payload can steal crypto wallets and sensitive data while taking commands from a C2 server.

Related Happenings

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Vpmdhaj npm preinstall credential-harvest campaign

Campaign
H score40 First: 29.05.2026 12:11 Last: 29.05.2026 12:11 Sources 1

About this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Timeline

  1. 24.03.2026 16:30 2 articles · 3mo ago

    Ghost campaign identified in malicious npm packages

    Initial Disclosure

    ReversingLabs identified a malicious npm supply-chain campaign dubbed the Ghost campaign against npm users and package installers. The packages mimicked legitimate installation activity with fake npm install logs, downloader behavior, and prompts for a sudo password, then used the stolen password to execute a remote access trojan capable of stealing crypto wallets and sensitive data.

    Show sources