← All stories

Infosecurity Magazine

New Npm 'Ghost Campaign' Uses Fake Install Logs to Hide Malware

2026-03-24 · Read original ↗

ATT&CK techniques detected

6 predictions

T1195.001Compromise Software Dependencies and Development Tools

86%

“new npm ' ghost campaign ' uses fake install logs to hide malware a new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers. the attacks, discovered by reversinglabs, involve malicious packages that mimic legiti…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1195.001Compromise Software Dependencies and Development Tools

86%

“entered, the password was used to execute the final malware stage without the user noticing. the final malware payload was downloaded from external sources, including a telegram channel and hidden web3 content. the payload was then decrypted using a key retrieved online and execu…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

66%

“new npm ' ghost campaign ' uses fake install logs to hide malware a new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers. the attacks, discovered by reversinglabs, involve malicious packages that mimic legiti…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

61%

“new npm ' ghost campaign ' uses fake install logs to hide malware a new malicious npm campaign using fake installation logs to hide malware activity has been identified by security researchers. the attacks, discovered by reversinglabs, involve malicious packages that mimic legiti…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1587Develop Capabilities

54%

“entered, the password was used to execute the final malware stage without the user noticing. the final malware payload was downloaded from external sources, including a telegram channel and hidden web3 content. the payload was then decrypted using a key retrieved online and execu…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1204.002Malicious File

38%

“entered, the password was used to execute the final malware stage without the user noticing. the final malware payload was downloaded from external sources, including a telegram channel and hidden web3 content. the payload was then decrypted using a key retrieved online and execu…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Ghost npm campaign fakes install logs to steal sudo passwords and drop RATs that loot crypto and data