Cybersecurity researchers have spotted a sneaky new trick used by hackers to compromise developers’ computers. This latest threat, which first appeared at the beginning of February 2026, involves malicious code hidden inside npm packages, which programmers use to create apps.
According to researchers at ReversingLabs, this specific attack, dubbed the Ghost campaign, tricks users into thinking they are installing a helpful tool. In reality, the software is busy stealing private data in the background.
In total, researchers detected seven malicious packages, including react-state-optimizer-core, [email protected], and multiple versions of coinbase-desktop-sdk. All were published by a single user going by the handle mikilanjillo.
The art of the fake log
What makes this attack stand out is how it hides its tracks. Usually, when you install software, you see text scrolling by or a loading bar. The hackers created fake versions of these screens to make everything look legitimate. The research, which was shared with Hackread.com, pointed to a package called react-state-optimizer-core as a prime example of this tactic.
“The sophistication comes from its novel technique of using fake npm install logs to hide malicious activity,” researchers noted. The software even mimics a lagging connection by adding random pauses and a fake progress bar. While this happens, the program asks the user for their sudo passwords, the master key to a computer’s system, claiming it is needed for optimization purposes or to fix errors.
Hunting for crypto wallets
Once the user enters that password, the trap is set. The goal is to deploy a Remote Access Trojan (RAT), which is a virus that lets a hacker control a computer from a remote location. This specific virus is designed to hunt for cryptocurrency wallets and sensitive personal data.
Some versions, such as [email protected] and coinbase-desktop-sdk, even include a separate decryptor file to help the virus unlock stolen files. The hackers used clever hiding spots for their instructions; most packages pulled data from a Telegram channel, though version 1.5.19 of the Coinbase SDK used the site teletype.in to stay under the radar.
A sign of things to come?
This might just be the start of a larger wave of attacks. On March 8, 2026, a firm called JFrog found a similar malicious package named @openclaw-ai/openclawai, suggesting the Ghost campaign could have been a test run.
Some versions, like [email protected], even contained debug messages (notes left by the hackers while they were still building the tool). As we know it, cyber criminals are always evolving, and these fake loading screens are a clever new way to keep users from spotting the danger.
