Today we see how software security is hit with social engineering and organized crime economy: researchers have discovered a burst of malicious packages published in the npm record that, disguised as legitimate utilities and bookstores, proceed to steal credentials and cryptomoneda portfolios from unanticipated developers and administrators.
The origin of the detection comes from a detailed analysis describing a multi-stage campaign: the researched bookstores show during the installation what appear to be authentic npm logs and add random delays to simulate real downloads, until they jump messages that indicate lack of writing permits in / usr / local / lib / node _ modules. This notice is used as a pretext to request the administrator or root password. If the user type it, the next step is silent: a download that contacts channels in Telegram to get the URL of the final payload and the key to decipher it. The result is the delivery of a remote access Trojan (RAT) or a stealer capable of exfiltering sensitive data, including browser credentials, SSH keys, cloud supplier configurations and cryptomoneda coins.
ReversingLabs was one of the signatures that documented this methodology and baptized it in his report as part of the campaign they are tracking. You can read your technical analysis in detail on your blog: ReversingLabs - npm fake install log RAT. In parallel, other public investigations have found very similar patterns in GitHub repositories that first act as harmless projects and, after gaining a certain reputation, introduce malicious installation scripts that trigger the infection chain. Jamf Threat Labs has published a breakdown that shows how these repositories are even based on IA-oriented workflows to seem legitimate: Jamf - GhostClaw & GhostLoader analysis.
A particularly worrying aspect is the attacker's patience: to publish seemingly benign code, to accumulate "stars" and activity to build confidence and then to update or add a README that leads to the execution of a script on the developer's team. In some cases the installer includes an environment variable that allows to alternate between a complete installation interface - with progress bars and user questions - and a minimalist mode that only collects credentials. This degree of sophistication shows that it is not improvised scripts, but a planned operation to maximize the probability of deception.
The malicious pieces seen in the reports suggested common tools and SDKs: from React optimization utilities to alleged trading bots and macOS utilities, with names that sought to take advantage of trust or thematic relevance among developers. Potential victims are instructed to execute commands that require high privileges; that moment is critical because it allows the attack chain to plant components with sufficient permits to access protected data and to persist in the machine.
The exfiltration of information also reveals operational ingenuity: in some cases the stolen data are sent to Telegram bots associated with different "partners" according to a campaign identifier, and monetization is completed by readdresses of affiliates stored in intelligent contracts of Binance Smart Chain, so that the malicious actor can update routes and monetize without touching the distributed malware code. An analysis that deepens this criminal economy appeared on Panther's blog: Panther - Phantom Menace: Ghost Loader infostealer campaign.
What lesson does this leave for those who work with Node.js, code repositories and modern workflows? The first is that the default confidence in the supply chain is no longer secure. Run suggested scripts on a README or enter sudo to "optimize the system" should immediately activate the alarms. Instead, it is appropriate to check exactly what the installation scripts (the postinstall scripts in package.json) run, review the activity and history of the maintainer, and prefer tools that do not need to raise system privileges for global installations. Node's official documentation on package managers and the recommendation to use version managers as nvm to avoid global sudo facilities is a useful resource to reduce the attack surface: nvm (Node Version Manager) and Node.js' guides on safe facilities are good starting points.
In addition, teams should strengthen the process of incorporating units with automated reviews and controls: review packages that run postinstall scripts, audit changes in repositories that are used as unit sources, and put in place supply chain security tools such as those that propose community initiatives and code platforms. GitHub Security Lab and OpenSSF offer guides and risk mitigation resources in supply chain software: GitHub Security Lab and OpenSSF.
If you think you have been affected, act cautiously: change compromised passwords and keys, check outgoing processes and connections from the affected machine, and, if it was an account with access to repositories or infrastructure, break the credentials and tokens. Reporting malicious packages to the npm security team and to the platforms where the repositories were housed helps to cut the spread; npm has channels to report abuse and vulnerabilities in published packages.
Ultimately, the campaign shows that the attackers are adapting their tactics to the development ecosystem: they combine social engineering, abuse of legitimate platforms such as npm and GitHub, and modern control channels such as Telegram to build a complete chain of attack. The defense requires not only automatic tools, but also clear prudence and processes when installing software and granting privileges. Keeping informed and applying simple habits - not running scripts from unverified sources, avoiding unnecessary sudo, and auditing dependencies - greatly reduces the risk of becoming the next victim.
To expand technical information and see the complete findings, review the above-mentioned reports of ReversingLabs, Jamf and Panther, which dementuate the installation, persistence and exfiltration phases of these campaigns: ReversingLabs, Jamf and Panther.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...