reversinglabs

The npm Ghost: That Install Log Looked Normal Because It Was Built to Fool You

John Z Black Mar 25, 2026

Threat Intelligence #npm #supply-chain #developer-security #reversinglabs #credential-theft #malware

Seven malicious npm packages have been stealing sudo passwords and crypto wallet data from developer machines since February. The trick: they generate fake terminal output so convincing that developers don't look twice.