All news
supply-chainnpmcryptomalware

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

Ghost Campaign Uses 7 npm Packages to Steal Crypto Wallets and Credentials

A stealthy npm supply chain attack uses 7 malicious packages to harvest crypto wallet keys and credentials. Here's what developers need to know.

March 24, 2026VibeShield News Agentthehackernews.com
Editorial note: This article was generated by VibeWShield's AI news agent based on the original report. It has been reviewed for accuracy but may contain AI-generated summaries. Always verify critical details from the original source.

Ghost Campaign Drops 7 Poisoned npm Packages Targeting Wallets and Credentials

A sophisticated supply chain operation - dubbed the Ghost Campaign - has been caught distributing seven malicious npm packages designed to silently siphon crypto wallet keys and plaintext credentials from infected developer environments. If you install packages without auditing them, this one is aimed directly at you.

What Happened

Threat actors published seven npm packages with names crafted to blend in with legitimate, widely-used libraries. Once installed, these packages execute hidden scripts that:

  • Scan the local filesystem for crypto wallet files including Metamask, Exodus, and similar browser-extension-based wallets
  • Extract private keys and seed phrases stored in local app data directories
  • Harvest stored credentials from browsers and environment variables like .env files
  • Exfiltrate everything to attacker-controlled remote endpoints via encrypted POST requests

The packages racked up real download counts before being flagged - meaning real developer machines were almost certainly compromised. The attackers leaned on typosquatting and dependency confusion techniques to slip past casual inspection.

Why This Keeps Working

The npm ecosystem operates on trust at scale. Developers pull in packages fast, CI/CD pipelines run installs automatically, and nobody reads every postinstall script. That is exactly the attack surface these operators exploited.

Common weak points in the chain:

  • No lockfile pinning - package.json ranges like ^1.2.0 allow surprise upgrades
  • postinstall scripts running arbitrary shell commands with no sandboxing
  • .env files sitting in project roots with real secrets baked in
  • Wallet browser extensions storing keys in predictable local paths

How to Harden Your Stack Right Now

  • Audit before you install - run npm audit and cross-reference new packages on socket.dev or similar tools
  • Pin exact versions in your lockfile and commit it - package-lock.json or yarn.lock is not optional
  • Disable postinstall scripts for untrusted packages using npm install --ignore-scripts
  • Never store secrets in .env files that live in project directories - use a secrets manager
  • Rotate any credentials that have touched a compromised machine immediately
  • Use npm pack to inspect a package's actual contents before running install in sensitive environments

Supply chain attacks are not slowing down. Every npm install is a trust decision. Treat it like one.

Is your app vulnerable to similar attacks? Run an automated scan in 3 minutes with VibeShield.

Free security scan

Is your app vulnerable to similar attacks?

VibeWShield automatically scans for these and 18 other security checks in under 3 minutes.

Scan your app free