Threat Research

Fake install logs in npm packages load RAT

Reversinglabs
Fake install logs in npm packages load RAT
The Ghost campaign abused malicious npm packages that display realistic fake npm install logs to phish for sudo passwords and then download and execute a final-stage RAT that steals crypto wallets and sensitive data. ReversingLabs discovered multiple malicious packages (published by user “mikilanjillo”) that retrieve decryption keys and payload URLs from a Telegram channel or a teletype.in web3 post and execute the RAT using the phished sudo credentials. #GhostCampaign #ReversingLabs

Keypoints

  • ReversingLabs identified a supply-chain campaign called the “Ghost campaign” that used malicious npm packages to deploy a final-stage remote access trojan (RAT).
  • Malicious packages (seven packages with multiple versions) were published by the npm user “mikilanjillo” and reused code across versions while adding phishing features.
  • Packages display fabricated npm install output (fake logs, progress bars, random delays) to hide malicious activity and lull victims into trusting the installation process.
  • The packages phish for the victim’s sudo password by prompting for it during the fake installation output; that password is later used to run the final-stage payload with elevated privileges.
  • Final-stage payload URLs and part of decryption keys are retrieved from a Telegram channel (and in one case from a teletype.in web3 contract); the payload is decrypted with a hardcoded string plus the retrieved key.
  • The final-stage RAT is designed to steal crypto wallets and sensitive data and to accept commands from a C2 server; some package versions include an additional “decryptor” file to assist theft functionality.
  • Evidence suggests this could be an early test run or a first wave of a wider campaign using similar techniques, with similarities noted to a JFrog-documented package (@openclaw-ai/openclawai).

MITRE Techniques

  • [T1105 ] Ingress Tool Transfer – The campaign downloads the final payload and decryption key from external services: ‘The URL for the final payload and part of the key needed for the final payload’s decryption is downloaded from a Telegram channel.’
  • [T1102 ] Web Service – Use of public web services for hosting keys/URLs and C2: ‘Figure 3: Telegram channel from which key and final stage URL are downloaded’ and use of ‘teletype.in’ to hide URL and key.
  • [T1548.003 ] Sudo and Sudoers (Abuse Elevation Control Mechanism) – The attackers phish for and reuse the victim’s sudo password to execute the final-stage payload with elevated privileges: ‘The user installing the package is prompted to enter their sudo password…it is then saved locally and executed using the sudo password phished from the user.’
  • [T1027 ] Obfuscated Files or Information – The packages hide true behavior behind fake and misleading console output and randomized progress indicators to evade detection: ‘all the information and strings output to the console is fake and inaccurate’ and ‘displaying fake npm install logs.’
  • [T1204.002 ] User Execution: Malicious File – The malicious payload executes after package installation, relying on the user installing the package: ‘the malicious payload executed after the package is installed.’
  • [T1078 ] Valid Accounts – Use of harvested credentials to run malicious components and perform privileged actions: ‘the sudo password phished from the user…is then saved locally and executed using the sudo password phished from the user.’
  • [T1005 ] Data from Local System – Final-stage RAT capabilities include stealing crypto wallets and sensitive data from the host: ‘the final-stage malware is a RAT designed for stealing crypto wallets and sensitive data.’

Indicators of Compromise

  • [Package names ] Malicious npm packages observed in the campaign – react-state-optimizer-core, [email protected], and 4 more packages (total seven packages across multiple versions).
  • [Publisher account ] npm user that published the malicious packages – mikilanjillo.
  • [Domains / Web services ] Locations used to host final-stage payloads and keys – Telegram channel (used to deliver URL and key), teletype.in web3 contract (used by [email protected]).
  • [File names ] Files included with packages that assist execution/stealing – decryptor (additional argument used to run final-stage RAT).
  • [Related package ] Previously observed similar package noted in research – @openclaw-ai/openclawai (as documented by JFrog) referenced as sharing techniques with this campaign.

Read more: https://www.reversinglabs.com/blog/npm-fake-install-logs-rat