Fake install logs in npm packages load RAT

ReversingLabs discovered a malicious npm ‘Ghost campaign’ that publishes several packages which mimic normal installs with fake console output to phish for sudo passwords; the harvested credentials are used to run a downloaded, encrypted final-stage RAT that steals crypto wallets and sensitive data. The campaign uses Telegram (and in one case a web3 post) to host final payload URLs and decryption keys, includes development/test artifacts in some packages, and comes with collected IOCs and detection guidance via Spectra Assure.