Ghost Campaign Deploys Malicious npm Packages to Harvest Crypto Wallets and Credentials
What Happened – Researchers at ReversingLabs uncovered a supply‑chain attack dubbed the Ghost campaign. Seven npm packages published under the user mikilanjillo (e.g., react-performance-suite, react-state-optimizer-core) contain hidden code that silently steals cryptocurrency wallet files and credential data from any project that installs them.
Why It Matters for TPRM –
- Third‑party code libraries can become a covert data‑exfiltration vector, bypassing traditional perimeter defenses.
- Compromise of developer environments can cascade into downstream customers, amplifying risk across the software supply chain.
Who Is Affected – SaaS and technology firms that rely on open‑source JavaScript components, crypto‑related services, and any organization whose development pipelines ingest npm packages.
Recommended Actions –
- Audit all npm dependencies for the seven identified package names and any similarly named variants.
- Enforce strict provenance checks (e.g., npm audit, signed packages, SBOM validation) before allowing new libraries into production.
- Rotate any exposed API keys, wallet credentials, and secrets that may have been harvested.
Technical Notes – The malicious code is injected via post‑install scripts that read local wallet files (.json keystores) and send them to a remote C2 server. No public CVE exists; the attack leverages legitimate npm publishing mechanisms. Source: The Hacker News