A Sneaky npm Scam That Steals Crypto and Secrets

Cybersecurity experts have found a new set of npm packages that act like harmless tools but secretly grab crypto wallets and personal data. The attackers, who publish everything under the name “mikilanjillo, ” use seven different packages. Each one pretends to download extra modules, shows fake install logs, and even inserts random pauses so users think the process is normal. When the installation hits a “permission error, ” the package asks for your sudo or admin password. If you give it, the malware quietly pulls a second‑stage downloader that contacts a Telegram channel. That channel supplies the final malicious file and the key to unlock it. The end result is a remote‑access trojan that can steal wallet keys, browser passwords, SSH keys and other sensitive information.It also waits for commands from a remote server to decide what to do next. Security researchers see similarities with another threat called GhostClaw, which also uses GitHub repos and AI tools to hide its bad code. Both campaigns rely on trusted development environments, so developers who install seemingly useful libraries become easy targets. The attackers also store stolen data in Telegram bots and even use a smart‑contract on the Binance Smart Chain to keep track of what they have. They run two revenue streams: one from selling the stolen credentials and another from redirecting users to affiliate links. This trend shows how cybercriminals are moving beyond old package‑registry tricks and now embed malicious code in popular open‑source projects, making it harder for users to spot the danger.