cybersecurity researchers have identified a new set of malicious software packages within the widely used npm registry, designed to steal cryptocurrency wallets and sensitive user credentials. The activity, which security firm ReversingLabs is tracking as the “Ghost” campaign, involves at least seven packages published by a single user account.
Details of the Compromised Packages
The malicious packages were all published under the npm username “mikilanjillo.” According to the analysis by ReversingLabs, these packages masqueraded as legitimate tools for developers working with the React JavaScript library and artificial intelligence. The identified packages include react-performance-suite, react-state-optimizer-core, react-fast-utilsa, and ai-fast-auto-trader, among others.
These packages were crafted to appear useful, often with names suggesting performance optimization or automated trading functionality. This tactic, known as typosquatting or dependency confusion, relies on developers accidentally installing a malicious package with a name similar to a legitimate one.
How the Attack Operates
When installed, the malicious packages execute a script that searches the victim’s system for cryptocurrency wallet data and sensitive information. The primary targets include browser extensions like MetaMask and other wallet applications that store private keys and seed phrases locally. The stolen data is then exfiltrated to a remote server controlled by the attackers.
The attack is particularly insidious because it exploits the trust inherent in open-source software ecosystems. Developers routinely integrate third-party packages from public repositories like npm to accelerate their work, making such supply-chain attacks a significant threat.
Industry Response and Mitigation
Following the discovery, the malicious packages have been reported and removed from the npm registry. The npm security team typically works to take down such packages promptly upon notification from researchers. However, any projects that already installed the packages may remain compromised until they are removed manually.
Security experts recommend that developers and organizations implement stricter controls over software dependencies. Best practices include verifying the reputation of package maintainers, using lockfiles to pin dependency versions, and employing software composition analysis tools to scan for known vulnerabilities and malicious code.
Broader Implications for Software Security
The “Ghost” campaign is the latest in a long series of software supply-chain attacks targeting open-source repositories. These incidents highlight a persistent vulnerability in modern software development, where a single malicious component can compromise countless downstream applications and end-users.
For the cryptocurrency community, such attacks represent a direct financial threat. The theft of wallet credentials can lead to irreversible loss of digital assets, as blockchain transactions are typically final and non-reversible.
Security analysts expect continued vigilance from both repository maintainers and the development community. Further investigation into the “Ghost” campaign may reveal additional related packages or identify the actors behind it. Developers are advised to audit their project dependencies immediately and remain cautious of packages from unknown or unvetted sources.
Source: ReversingLabs
