Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

2026-03-24

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Researchers uncovered a malicious npm campaign called Ghost/GhostClaw using 7 fake packages to steal cryptocurrency wallets and developer credentials.

•7 npm packages published by "mikilanjillo" impersonate legitimate React and AI tools, tricking developers into entering their sudo password under the guise of installation errors
•After capturing the password, malware fetches a next-stage downloader via a Telegram channel, decrypts and deploys a remote access trojan targeting crypto wallets, browser credentials, SSH keys, and cloud configs
•The GhostClaw variant uses GitHub repositories initially seeded with benign code to build trust before introducing malicious shell scripts
•A SKILL.md file in some repos targets AI-assisted workflows, disguising the attack as skill installation for AI agents like OpenClaw

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux Servers

UNC1069 Social Engineering of Axios Maintainer Led to npm Supply Chain Attack

Why Third-Party Risk Is the Biggest Gap in Your Clients' Security Posture