Full Report
Cybersecurity researchers have uncovered a new set of malicious npm packages that are designed to steal cryptocurrency wallets and sensitive data. The activity is being tracked by ReversingLabs as the Ghost campaign. The list of identified packages, all published by a user named mikilanjillo, is below - react-performance-suite react-state-optimizer-core react-fast-utilsa ai-fast-auto-trader
Analysis Summary
# Tool/Technique: Ghost Campaign (npm Supply Chain Attack)
## Overview
The "Ghost" campaign refers to a series of malicious packages discovered on the npm (Node Package Manager) registry. Published by a single user account, these packages impersonate legitimate developer utilities to infiltrate development environments. Their primary purpose is the exfiltration of sensitive information, specifically targeting cryptocurrency wallets and browser-based credentials.
## Technical Details
- **Type:** Malware (Infostealer / Supply Chain Attack)
- **Platform:** Windows, macOS, Linux (Cross-platform via Node.js/JavaScript)
- **Capabilities:** Credential theft, cryptocurrency wallet hijacking, data exfiltration.
- **First Seen:** October 2023 (Active tracking by ReversingLabs)
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1195.002 - Supply Chain Compromise: Compromise Software Dependencies
- **TA0007 - Discovery**
- T1083 - File and Directory Discovery
- **TA0009 - Collection**
- T1539 - Steal Web Cookies
- T1555.003 - Credentials from Web Browsers
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel
## Functionality
### Core Capabilities
- **Dependency Infiltration:** Leverages names that mimic popular libraries (e.g., `react-performance-suite`) to trick developers into installing them.
- **Data Scraping:** Scans local directories for sensitive files, including configuration files and browser profile data.
- **Wallet Theft:** Specifically targets directory paths associated with popular cryptocurrency wallet extensions and desktop applications (e.g., MetaMask, Atomic Wallet).
### Advanced Features
- **Obfuscation:** Uses JavaScript obfuscation techniques within the `index.js` or installation scripts to hide malicious logic from static analysis.
- **Automated Exfiltration:** Once data is harvested, it is bundled and sent to an actor-controlled server via HTTP POST requests.
## Indicators of Compromise
- **File Names (Malicious npm Packages):**
- `react-performance-suite`
- `react-state-optimizer-core`
- `react-fast-utilsa`
- `ai-fast-auto-trader`
- **Contributor Handle:** `mikilanjillo`
- **Behavioral Indicators:**
- Sub-processes spawned by `npm install` attempting to access `%AppData%` or `~/Library/Application Support`.
- Unusual outbound network traffic from Node.js processes to unknown IP addresses/domains immediately after package installation.
## Associated Threat Actors
- **Campaign Alias:** Ghost Campaign
- **Threat Actor:** Tracked under the pseudonym `mikilanjillo` (currently unknown attribution).
## Detection Methods
- **Signature-based detection:** Monitoring for the specific package names and versions published by the `mikilanjillo` user.
- **Behavioral detection:** Flagging npm install scripts (`preinstall`, `postinstall`) that execute system commands or access sensitive filesystem paths outside of the project directory.
- **Audit Logs:** Regularly running `npm audit` and checking for packages with zero downloads or recent publication dates by unknown authors.
## Mitigation Strategies
- **Prevention measures:**
- Implement a "lock" file policy (`package-lock.json`) and verify hashes.
- Use npm "provenance" to verify the origin of packages.
- **Hardening recommendations:**
- Use internal private registries (like Verdaccio or Artifactory) to proxy and vet third-party dependencies.
- Restrict internet access for build servers/environments to known-good domains.
## Related Tools/Techniques
- **Typosquatting:** Similar to previous campaigns targeting the npm ecosystem.
- **Iconic Stealer:** Shares functional similarities with typical Electron-based infostealers.
- **Lazarus Group (Operation Contagious Resource):** While not directly linked, the technique of using functional-looking npm packages is a known TTP of several APT groups.