New Ghost Campaign Uses Fake npm Progress Bars to Phish Sudo Passwords

Summary

ReversingLabs researchers discovered the Ghost campaign, a sophisticated supply-chain attack using seven malicious npm packages to compromise developers. The attack employs fake npm install progress bars and logs to trick users into revealing sudo passwords, with the ultimate goal of deploying a Remote Access Trojan (RAT) to steal cryptocurrency wallets and sensitive data. Similar attacks have already been observed, suggesting this may be part of a larger wave of npm-based threats.

Full text

Security Malware Phishing ScamNew Ghost Campaign Uses Fake npm Progress Bars to Phish Sudo Passwords ReversingLabs researchers identify a new Ghost campaign using fake npm install logs and progress bars to phish for sudo passwords and steal crypto wallets from developers. byDeeba AhmedMarch 27, 20262 minute read Cybersecurity researchers have spotted a sneaky new trick used by hackers to compromise developers’ computers. This latest threat, which first appeared at the beginning of February 2026, involves malicious code hidden inside npm packages, which programmers use to create apps. According to researchers at ReversingLabs, this specific attack, dubbed the Ghost campaign, tricks users into thinking they are installing a helpful tool. In reality, the software is busy stealing private data in the background. In total, researchers detected seven malicious packages, including react-state-optimizer-core, [email protected], and multiple versions of coinbase-desktop-sdk. All were published by a single user going by the handle mikilanjillo. The art of the fake log What makes this attack stand out is how it hides its tracks. Usually, when you install software, you see text scrolling by or a loading bar. The hackers created fake versions of these screens to make everything look legitimate. The research, which was shared with Hackread.com, pointed to a package called react-state-optimizer-core as a prime example of this tactic. “The sophistication comes from its novel technique of using fake npm install logs to hide malicious activity,” researchers noted. The software even mimics a lagging connection by adding random pauses and a fake progress bar. While this happens, the program asks the user for their sudo passwords, the master key to a computer’s system, claiming it is needed for optimization purposes or to fix errors. Fake npm install logs and sudo password prompt (Image credit: ReversingLabs) Hunting for crypto wallets Once the user enters that password, the trap is set. The goal is to deploy a Remote Access Trojan (RAT), which is a virus that lets a hacker control a computer from a remote location. This specific virus is designed to hunt for cryptocurrency wallets and sensitive personal data. Some versions, such as [email protected] and coinbase-desktop-sdk, even include a separate decryptor file to help the virus unlock stolen files. The hackers used clever hiding spots for their instructions; most packages pulled data from a Telegram channel, though version 1.5.19 of the Coinbase SDK used the site teletype.in to stay under the radar. A sign of things to come? This might just be the start of a larger wave of attacks. On March 8, 2026, a firm called JFrog found a similar malicious package named @openclaw-ai/openclawai, suggesting the Ghost campaign could have been a test run. Some versions, like [email protected], even contained debug messages (notes left by the hackers while they were still building the tool). As we know it, cyber criminals are always evolving, and these fake loading screens are a clever new way to keep users from spotting the danger. Deeba Ahmed Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage. View Posts Cyber AttackCybersecurityDevelopersMalwareNPMPhishingScamsecuritySudo Leave a Reply Cancel reply View Comments (0) Related Posts Android Google News Security Technology Android On-Body Detection Feature Will Keep Your Phone Safe From Thieves The new on-body detection feature will lock your phone when you set it down, so thieves who swipe… byWaqas Apple News Malware YiSpecter- Latest Malware Hits iOS Devices YiSpecter malware infects iOS devices by exploiting private APIs — Reports suggest, Chinese and Taiwanese users of iOS devices have been… byRyan De Souza Security Privacy Technology New tech allows researchers to bypass fingerprint scanner on smartphone It’s a common perception that we’re kind of safe by setting up fingerprints scanners on our smartphones. After… byAli Raza Read More Security Malware Sophisticated Booking.com Scam Targeting Guests with Vidar Infostealer Vidar infostealer is capable of stealing browsing data, including passwords, cryptocurrency wallet credentials, and other personal information. byDeeba Ahmed

Indicators of Compromise

• malware — Ghost campaign
• malware — Remote Access Trojan (RAT)
• domain — teletype.in
• malware — react-state-optimizer-core
• malware — [email protected]
• malware — coinbase-desktop-sdk
• malware — @openclaw-ai/openclawai