Ghost Campaign Phishes Sudo Passwords via Fake npm Install Progress Bars
What Happened — ReversingLabs uncovered a new “Ghost” phishing campaign that publishes malicious npm packages. When developers run npm install, the package displays a fabricated progress bar and prompts for the system’s sudo password. Captured credentials are then used to steal cryptocurrency wallets.
Why It Matters for TPRM —
- Stolen sudo credentials give attackers privileged access to build, test, and production environments, expanding the attack surface of any downstream customers.
- Compromised developer workstations become a supply‑chain foothold, enabling further malicious code injection into software delivered by the vendor.
- Crypto‑wallet theft adds a direct financial loss vector that is difficult to remediate and can damage the vendor’s reputation.
Who Is Affected — Technology and SaaS firms, cloud‑native development teams, CI/CD service providers, and any organization that relies on npm for software delivery.
Recommended Actions —
- Enforce least‑privilege policies; avoid using sudo for npm installs and require role‑based access controls.
- Implement package‑allow‑list controls and verify package integrity (e.g., SHA‑256 hashes, signed packages).
- Deploy endpoint detection for unexpected credential prompts and monitor for unauthorized sudo usage.
- Conduct security awareness training focused on social‑engineering tactics targeting command‑line tools and package managers.
Technical Notes — Attack vector: phishing via fake npm progress bars; no known CVE. Data exfiltrated: sudo passwords and cryptocurrency wallet private keys. Source: HackRead