New Ghost Campaign Uses Fake npm Progress Bars to Phish Sudo Passwords

ReversingLabs researchers identify a new Ghost campaign using fake npm install logs and progress bars to phish for sudo passwords and steal crypto wallets from developers.

Cybersecurity researchers have spotted a sneaky new trick used by hackers to compromise developers’ computers. This latest threat, which first appeared at the beginning of February 2026, involves malicious code hidden inside npm packages, which programmers use to create apps.

According to researchers at ReversingLabs, this specific attack, dubbed the Ghost campaign, tricks users into thinking they are installing a helpful tool. In reality, the software is busy stealing private data in the background.

In total, researchers detected seven malicious packages, including react-state-optimizer-core, [email protected], and multiple versions of coinbase-desktop-sdk. All were published by a single user going by the handle mikilanjillo.

The art of the fake log

What makes this attack stand out is how it hides its tracks. Usually, when you install ...