Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data.

The activity is being tracked by ReversingLabs as the Ghost campaign. The list of identified packages, all published by a user named mikilanjillo, is below -

• react-performance-suite
• react-state-optimizer-core
• react-fast-utilsa
• ai-fast-auto-trader
• pkgnewfefame1
• carbon-mac-copy-cloner
• coinbase-desktop-sdk

"The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs," Lucija Valentić, software threat researcher at ReversingLabs, said in a report shared with The Hacker News.

The identified Node.js libraries, besides falsely claiming to download additional packages, insert random delays to give the impression that the installation process is underway. At one point during this step, the user is alerted that the installation is running into an error due to missing write permissions to "/usr/local/lib/node_modules," which is the default location for globally installed Node.js packages on Linux and macOS systems.

It also instructs the victim to enter their root or administrator password to continue with the installation. Should they enter the password, the malware then silently retrieves the next-stage downloader, which then reaches out to a Telegram channel to fetch the URL for the final payload and the key required to decrypt it.

The attack culminates with the deployment of a remote access trojan that's capable of harvesting data, targeting cryptocurrency wallets, and awaiting further instructions from an external server.