Malicious npm Packages theGhost: New Node.js Supply Chain Attacks Target Crypto Wallets and Developer Credentials

A new wave of malicious npm packages is targeting the Node.js ecosystem, focusing on the theft of cryptocurrency wallets and sensitive developer data. Security company ReversingLabs is tracking the activity under the name theGhost, linking it to the broader GhostClaw campaign previously documented by JFrog and Jamf Threat Labs. The attacks highlight once again how software registries and developer platforms are being weaponized for supply chain attacks.

Malicious npm Packages Masquerading as Developer Tools

All identified malicious Node.js libraries were published to the official npm registry by a user operating under the handle “mikilanjillo”. These packages posed as legitimate utilities for optimization or project integration, but their real objective was to phish sudo passwords and silently deploy malware on developer machines.

According to ReversingLabs, the infection flow is carefully crafted to imitate a normal npm installation:

• the package prints fake npm installation logs, simulating the download of additional dependencies;
• random time delays are introduced to mimic genuine installation progress;
• at a controlled point, the script reports a write error to /usr/local/lib/node_modules (a typical location for global packages on Linux and macOS) and prompts the user to input their root or administrator password to continue.

Once the password is entered, the script quietly retrieves a downloader component, which connects to a Telegram channel to obtain the final payload URL and a decryption key. The ultimate stage installs a Remote Access Trojan (RAT) capable of:

• harvesting files and detailed system information;
• stealing cryptocurrency wallets and browser data (cookies, stored passwords, autofill data);
• receiving additional commands from a remote command-and-control (C2) server.

This pattern closely mirrors previous npm incidents, such as malicious versions of popular packages used to inject credential stealers, underscoring that trust in public registries cannot substitute for security review.

GhostClaw Links: Weaponized GitHub Repositories and AI-Assisted Workflows

ReversingLabs notes strong overlaps between theGhost and the GhostClaw campaign analyzed by JFrog and Jamf. In GhostClaw, attackers abuse GitHub repositories and AI-assisted development workflows to deliver malware, including to macOS systems.

The adversaries maintain repositories that convincingly mimic legitimate projects such as trading bots, SDKs and developer utilities. Many repositories accumulate dozens or hundreds of stars, increasing their credibility. Initially, they host benign or partially functional code that remains stable for long periods. Only later are malicious components subtly inserted into the installation chain.

A critical element is the README file (or SKILL.md in AI tooling contexts), which instructs developers to execute a shell script to install “extra skills” or configuration. This script launches a multi‑stage infection chain that ends with the deployment of a stealer module for credential theft.

Researchers also highlight an environment variable, GHOST_PASSWORD_ONLY. With a value of 0, victims see a “full” installation wizard complete with progress bars and prompts. When set to 1, the script runs in a minimal, stealthy mode that focuses almost exclusively on capturing passwords and other secrets, reducing visible artifacts and user interaction.

Infection Chain, Telegram C2 and BSC Smart Contracts for Monetization

Cloud security analysts at Panther observed that one key npm package, react-state-optimizer, also published by “mikilanjillo”, presents itself as a CLI “setup wizard.” This wizard persuades developers to provide their sudo password for supposed “system optimizations”. The captured password is passed to a comprehensive credential stealer that exfiltrates:

• browser credentials and cookies;
• cryptocurrency wallets and seed phrases;
• SSH keys and cloud provider configuration files;
• DevOps tokens and API keys for development services.

The initial npm package downloads configuration data either from a Telegram channel or from a Teletype.in page disguised as blockchain documentation. It then deploys the main stealer module, with stolen data routed to attacker-controlled Telegram bots. This Telegram-based C2 pattern has been used in multiple commodity stealer families due to its ease of use and resilience.

The monetization model is multi-layered. Panther’s analysis indicates that:

• primary revenue comes from selling harvested credentials, funneled through Telegram channels operated by partners or resellers;
• additional income is generated via affiliate URL redirects, whose parameters are stored in a dedicated smart contract on Binance Smart Chain (BSC). This allows the operators to rotate affiliate programs and traffic destinations without touching the malware code itself, complicating detection and takedown.

Supply Chain Risks for Development Teams and Organizations

This campaign illustrates how attackers are increasingly shifting towards development ecosystems as high-leverage targets. npm, GitHub and AI coding assistants serve as efficient delivery channels for software supply chain attacks, where malicious code enters corporate environments through tools that teams habitually trust and use.

Organizations are particularly exposed when:

• developers routinely run npm install with sudo or perform global installations on shared machines;
• libraries are selected primarily by star ratings, download counts or AI recommendations, with little verification of publisher identity or package contents;
• there is no systematic integrity checking of dependencies or monitoring of package behavior after installation.

Real-world breaches such as the SolarWinds incident or compromised open-source packages in ecosystems like npm and PyPI have demonstrated that a single poisoned dependency can provide attackers with a path deep into build systems, CI/CD pipelines and production environments.

Defensive Measures Against Malicious npm Packages and GitHub Repositories

To reduce the risk of similar threats infiltrating development workflows, organizations and individual developers should:

• Minimize sudo usage when installing npm packages, especially those from unfamiliar publishers or recently created projects.
• Verify package maintainers and history, including account age, release cadence, linked repositories and any prior security reports.
• Inspect postinstall scripts and shell installers referenced in README or SKILL.md files, watching for password prompts, network calls and obfuscated code.
• Adopt internal registries or mirrors with pre-approval and security scanning of dependencies before they reach production build systems.
• Implement network monitoring to detect anomalous connections from build and CI/CD environments to Telegram, Pastebin, Teletype.in and similar services.
• Provide secure development training so engineers recognize supply chain attack patterns and treat installation scripts with the same suspicion as unsolicited email attachments.

The theGhost and GhostClaw campaigns underline a broader trend: attacks on developers and build pipelines are becoming systematic rather than exceptional. By hardening dependency management, tightening privilege usage and routinely auditing third-party packages and installation scripts, organizations can significantly reduce their exposure. Every new npm package or GitHub installer should be approached with the assumption that it might be hostile until proven otherwise—no password, especially a sudo credential or wallet seed phrase, should ever be handed to a script that has not first earned that level of trust.