Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ghost campaign malicious npm supply-chain operation

Campaign
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm supply-chain campaign dubbed "Ghost campaign" is using fake installation logs to conceal malware delivery, increasing the chance that package installers execute hidden payloads. The operation began in early February and relies on malicious packages with downloader functionality. Those packages prompt for a user's sudo password during installation and then use it to run a remote access trojan (RAT). The payload can steal crypto wallets and sensitive data while taking commands from a C2 server.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Timeline

  1. 24.03.2026 16:30 2 articles · 2mo ago

    Ghost campaign identified in malicious npm packages

    Initial Disclosure

    ReversingLabs identified a malicious npm supply-chain campaign dubbed the Ghost campaign against npm users and package installers. The packages mimicked legitimate installation activity with fake npm install logs, downloader behavior, and prompts for a sudo password, then used the stolen password to execute a remote access trojan capable of stealing crypto wallets and sensitive data.

    Show sources
    Open in new tab