Ghost campaign malicious npm supply-chain operation
Campaign
Summary
Hide ▲
Show ▼
A malicious npm supply-chain campaign dubbed "Ghost campaign" is using fake installation logs to conceal malware delivery, increasing the chance that package installers execute hidden payloads. The operation began in early February and relies on malicious packages with downloader functionality. Those packages prompt for a user's sudo password during installation and then use it to run a remote access trojan (RAT). The payload can steal crypto wallets and sensitive data while taking commands from a C2 server.
Related Happenings
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Deps credential stealer in hijacked Arch AUR builds
Malware Activity
H score3
First: 12.06.2026 22:24
Last: 12.06.2026 22:24
Sources 1
About this happening:
**Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
Deps credential stealer in hijacked Arch AUR builds
Malware ActivityAbout this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Vpmdhaj npm preinstall credential-harvest campaign
Campaign
H score40
First: 29.05.2026 12:11
Last: 29.05.2026 12:11
Sources 1
About this happening:
A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Vpmdhaj npm preinstall credential-harvest campaign
CampaignAbout this happening: A new **vpmdhaj** supply-chain campaign has surfaced in **14 malicious npm packages** that use a **preinstall credential harvester** to steal **AWS credentials**, **HashiCorp Vaul...
Malware-Slop malicious npm file-theft campaign
Campaign
H score39
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
**Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...
Timeline
-
24.03.2026 16:30 2 articles · 3mo ago
Ghost campaign identified in malicious npm packages
Initial DisclosureReversingLabs identified a malicious npm supply-chain campaign dubbed the Ghost campaign against npm users and package installers. The packages mimicked legitimate installation activity with fake npm install logs, downloader behavior, and prompts for a sudo password, then used the stolen password to execute a remote access trojan capable of stealing crypto wallets and sensitive data.
Show sources
- New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware — www.infosecurity-magazine.com — 24.03.2026 16:30
- New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware — www.infosecurity-magazine.com — 24.03.2026 16:30