Find notable cyber news and cases, enriched with sources, timelines, and signals.

Ghost campaign remote access trojan payload

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm payload tied to the Ghost campaign began in early February and used fake installation logs to hide a remote access trojan (RAT) that could steal crypto wallets and sensitive data. The malware matters because it also accepted commands from a command-and-control (C2) server, giving attackers ongoing control over infected systems. The delivery chain combined downloader functionality, sudo password capture, and local execution after decryption.

Related Happenings

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Deps credential stealer in hijacked Arch AUR builds

Malware Activity
H score3 First: 12.06.2026 22:24 Last: 12.06.2026 22:24 Sources 1

About this happening: **Atomic Arch** is a **malware activity** that hijacked **more than 400 Arch User Repository (AUR) packages** on or after **June 11** and rewrote their build scripts to run **npm...

Malware-Slop malicious npm file-theft campaign

Campaign
H score39 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: **Malware-Slop** is distributing **mouse5212-super-formatter**, a malicious **npm** package that steals local files from **Anthropic's Claude** workspace directory **/mnt/user-dat...

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
H score22 First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Latest development: 29.05.2026 11:10

mouse5212-super-formatter leaked a hardcoded GitHub token, exposing the operator's credential and allowing about seven theft sessions to be observed in the attacker's GitHub repository; the malicious npm package recursively copied files from a victim machine, uploaded them through the GitHub Contents API, and was later removed from npm.

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
H score34 First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Timeline

  1. 24.03.2026 16:30 2 articles · 3mo ago

    ReversingLabs identifies Ghost campaign in npm

    Initial Disclosure

    ReversingLabs identified a malicious npm supply-chain campaign dubbed the Ghost campaign, which began in early February and used fake installation logs and downloader packages to hide malware activity while attempting to capture sudo passwords for later execution of a remote access trojan that could steal crypto wallets and sensitive data.

    Show sources