Find notable cyber news and cases, enriched with sources, timelines, and signals.

GhostLoader staged npm install payload activity

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

GhostLoader is now being delivered through staged npm install scripts, turning routine package installation into a route for data theft and cryptocurrency wallet targeting. The chain uses fake install logs and a bogus permissions error to push developers into revealing a sudo/root password. After that step, the malware retrieves a downloader that connects to C2 infrastructure and fetches the final payload. The result is a remote access trojan that can harvest data, focus on wallets, and wait for further instructions.

Related Happenings

QuimaRAT cross-platform Java MaaS remote access trojan

Malware Activity
H score29 First: 06.07.2026 11:13 Last: 06.07.2026 11:13 Sources 1

About this happening: A new **QuimaRAT** **MaaS** offering expands cross-platform malware risk by packaging a modular **Java-based RAT** for **Windows, Linux, and macOS**. The activity matters because...

MacOS XPC cached signature trust privilege escalation privilege-escalation flaw

Vulnerability
H score23 First: 25.06.2026 14:00 Last: 25.06.2026 14:00 Sources 1

About this happening: **macOS XPC trusted software verification** lets a **non-root user** abuse cached signature trust to call privileged helper functions without authentication, opening a route to **...

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Easy-day-js malware delivery through poisoned Mastra packages

Malware Activity
H score29 First: 22.06.2026 14:30 Last: 22.06.2026 14:30 Sources 1

About this happening: A poisoned **Mastra** package chain delivered **malware** through **easy-day-js**, creating compromise risk across **Windows, MacOS and Linux** systems. The payload disabled **TLS...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

Timeline

  1. 24.03.2026 14:00 2 articles · 3mo ago

    ReversingLabs identifies malicious npm packages published by mikilanjillo

    Initial Disclosure

    Security researchers identify seven malicious npm packages published by mikilanjillo, including react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk, that disguise their behavior with fake npm install logs, trigger a bogus write-permissions error for "/usr/local/lib/node_modules," phish for sudo/root credentials, fetch a second-stage downloader from Telegram or Teletype.in, and deploy GhostLoader and a remote access trojan aimed at cryptocurrency wallets and sensitive data.

    Show sources