Fake install logs in npm packages load RAT

When it comes to supply chain attacks, last year was a lot for software security teams to get their heads around. There were several large scale attacks that struck npm repositories, the most impactful being Shai-hulud — the first open source package repository worm. Then there were several smaller campaigns that didn’t have as big of an impact, but were very important nonetheless. 
In February 2026, for example, the ReversingLabs research team documented a North Korea connected campaign we dubbed “Graphalgo.” That campaign started in May 2025, and is part of a larger fake job recruiter scheme conducted by North Korea-backed hackers and targeting crypto developers. It is ongoing, phishing developers with fake job interviews and using “coding tests” as a pretext for pushing downloaders to developers’ systems that retrieve a custom remote access trojan (RAT) as the final stage. 

Then there’s the latest campaign we found. It started in the beginning of February, and we’re calling it the “Ghost campaign.” It includes several packages exhibiting downloader functionality. The packages themselves are phishing for sudo password with which the last stage is executed, and are trying to hide their real functionality and avoid detection in a sophisticated way: displaying fake npm install logs.

A ghost we’ve never seen

The campaign first consisted of seven packages with multiple versions, all of them published by the same npm user with the handle mikilanjillo. In building the packages, the malicious actor reused code, while adding some functions meant to sow confusion and add phishing abilities to each new package.

The package react-state-optimizer-core is typical of the malicious packages associated with the campaign. It is a simple package, branding itself as a “lightweight utility layer for asynchronous state management in React application.” The sophisticated part isn’t the malicious payload - a simple instance of download-and-execute malware. The sophistication comes from its novel technique of using fake npm install logs to hide malicious activity and phish for a sudo password that is needed for later final stage execution. That technique, when paired with a malicious payload, makes it very hard for victims to detect the suspicious activities driving this attack.

RL researchers discovered the suspicious activities in the react-state-optimizer-core package using the Spectra Assure automated detection system. We then confirmed they were indeed malicious. 

Installation is not always what it seems

The react-state-optimizer-core package consists of just a few files, with the malicious payload executed after the package is installed. Examining the malicious payload, RL researchers found lots of code, but most of it is simply writing various information to the console to mimic the installation process of a package. But all the information and strings output to the console is fake and inaccurate. For example, the package posts messages claiming that it is downloading some packages. It is not, and the  names of the “downloaded” packages are randomly chosen from a predefined list.

In addition, random delays inserted between each line mimic the situation when the installation process is lagging. Some versions of packages also introduce a progress bar that appears to fill up as the “package” is installed. In reality, the progress bar is driven based on random values.

Figure 1: Fake npm install logs

This is very cleverly implemented. Since it is run after the package is installed, the victim would think every output is part of a proper installation process and nothing malicious is included. 

Phishing for sudo

At one point in this fake installation-process, messages are output that inform the user that some issue has arisen. The user installing the package is prompted to enter their sudo password for “optimization” purposes or to solve issues related to some packages not being installed properly. Of course, there is no optimization process nor any of the packages needed. It is to ensure the sudo password gets entered so it can later be used to execute the final stage.

Figure 2: sudo password prompt

Once the password is entered and tested, the downloader is executed without alerting the victim, while fake output logs continue to pop up.

The URL for the final payload and part of the key needed for the final payload’s decryption is downloaded from a Telegram channel. This was observed in every malicious package RL discovered, except for one: coinbase-desktop-sdk@1.5.19, which uses a web3 related post on the site teletype.in to hide URL and key. 

Figure 3: Telegram channel from which key and final stage URL are downloaded

Figure 4: Web3 contract containing final stage URL and a key

Once the final stage is downloaded, it is decrypted using a password constructed from a hardcoded string inside the payload and the obtained key. It is then saved locally and executed using the sudo password phished from the user.

Some versions of the malicious packages we detected, like carbon-mac-copy-cloner@1.1.0 or coinbase-desktop-sdk@1.5.17, have an additional file called decryptor that would be an additional argument with which the final stage is run. This file would help final stage RAT with stealing functionality.

As the RL research team noted above, the final-stage malware is a RAT designed for stealing crypto wallets and sensitive data, along with capabilities for listening to commands coming from the C2 server and executing them.

Test run or new wave?

The question is whether our discovery is a new campaign, or a continuation of an existing malicious npm campaign. There is evidence to support both conclusions. 

On March 8, for example, JFrog published a blog about a new malicious npm package @openclaw-ai/openclawai that shares some similarities with the packages discussed in this blog. The infrastructure used to deliver the second stage is different, but the techniques employed are similar. This means the malicious packages we detected in early February could be the first wave of that campaign. 
An alternative explanation is that the phishing and fake console output is a new technique that is being developed by malicious actors. That would explain why the second stage delivered appears to be the same malware which is explained more in detail in JFrog’s blog.

There is evidence that supports the idea that we discovered an early “test run” of the campaign documented by JFrog. For example, some packages, like coinbase-desktop-sdk@1.5.14, have debug messages that are outputted to the console. These messages would alert the victim, making any attack more likely to be detected. But they are very helpful to the people that are in the process of developing the malware. 

Whether these packages are test packages or not, the RL research team will continue to monitor npm repository in a quest to find more of these kinds of packages — and mark them as malicious. 

Indicators of Compromise (IOCs)

Indicators of Compromise (IoCs) refer to forensic artifacts or evidence related to a security breach or unauthorized activity on a computer network or system. IOCs play a crucial role in cybersecurity investigations and cyber incident response efforts, helping analysts and cybersecurity professionals identify and detect potential security incidents.

The following IOCs were collected as part of ReversingLabs investigation of this malicious software supply chain campaign. IOCa can be downloaded from secure.software after an account is made.

Secure your applications with Spectra Assure Community

At RL, the goal is to ensure the community can use public libraries from npm or other public repositories without fearing they contain malware. The RL research team uses RL Spectra Assure to vet packages and find suspicious and malicious software. The team frequently finds new and interesting (and not-so-interesting) malware. Development teams and application security practitioners can sign up for a free account with Spectra Assure Community. The platform is updated with the newest open-sourcethreats the team has found during our daily threat hunting. Every malicious package, just like the ones from this campaign, are marked as malicious and IOCs for each package can be downloaded.