John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
You ran npm install. The terminal scrolled. Package names, version numbers, dependency trees, a clean success message. You moved on. That’s exactly what the attacker counted on.
ReversingLabs researcher Lucija Valentic documented the Ghost Campaign: seven malicious npm packages from publisher “mikilanjillo,” running since February 2026. The core trick isn’t hiding. It’s showing you something fake while the malware runs. The packages generate convincing fake terminal output, the kind developers’ eyes slide right past, while executing in the background.
The package names are the other half of the social engineering. react-performance-suite, react-state-optimizer-core, ai-fast-auto-trader. If you’re building a React app or experimenting with AI trading tools, none of those raise flags. That’s not an accident.
Once installed, they go after two things: sudo passwords and cryptocurrency wallet data. The sudo theft is the nasty one. On a developer machine, that can mean source code, API keys, SSH credentials, cloud provider access. Everything. The packages also establish a persistent remote access trojan channel, so this isn’t a smash-and-grab. The machine becomes an asset the attacker returns to.
All seven packages trace back to the same publisher. Same technique, same playbook, coordinated campaign.
Check your package.json for those names. If you’ve added anything unfamiliar recently, audit what’s in node_modules. And if you’re running developer security programs, fake install logs are something you need to brief people on now.