Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data.
The activity is being tracked by ReversingLabs as the Ghost campaign.
The list of identified packages, all published by a user named mikilanjillo, is below - react-performance-suite react-state-optimizer-core react-fast-utilsa ai-fast-auto-trader
The list of identified packages, all published by a user named mikilanjillo, is below -
"The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs," Lucija Valentić, software threat researcher at ReversingLabs, said in a report shared with The Hacker News.
The identified Node.js libraries, besides falsely claiming to download additional packages, insert random delays to give the impression that the installation process is underway.
At one point during this step, the user is alerted that the installation is running into an error due to missing write permissions to "/usr/local/lib/node_modules," which is the default location for globally installed Node.js packages on Linux and macOS systems.