Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Ghost campaign remote access trojan payload

Malware Activity
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm payload tied to the Ghost campaign began in early February and used fake installation logs to hide a remote access trojan (RAT) that could steal crypto wallets and sensitive data. The malware matters because it also accepted commands from a command-and-control (C2) server, giving attackers ongoing control over infected systems. The delivery chain combined downloader functionality, sudo password capture, and local execution after decryption.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers

Malware Activity
First: 18.05.2026 11:57 Last: 18.05.2026 11:57 Sources 1

About this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...

Open Happening

Famous Chollima PromptMink supply-chain campaign targeting Web3 developers

Campaign
First: 29.04.2026 17:43 Last: 29.04.2026 17:43 Sources 1

About this happening: The **PromptMink** campaign is widening **Famous Chollima**'s supply-chain intrusion playbook by pushing **tainted npm packages** into developer environments and stealing secrets....

Open Happening

Timeline

  1. 24.03.2026 16:30 2 articles · 2mo ago

    ReversingLabs identifies Ghost campaign in npm

    Initial Disclosure

    ReversingLabs identified a malicious npm supply-chain campaign dubbed the Ghost campaign, which began in early February and used fake installation logs and downloader packages to hide malware activity while attempting to capture sudo passwords for later execution of a remote access trojan that could steal crypto wallets and sensitive data.

    Show sources
    Open in new tab