Ghost

Ghost is a malware name used in the provided content for multiple distinct threat contexts. High-confidence reporting links it most clearly to a ransomware variant/group. In August 2021, a Ghost ransomware variant was used against a California-based water and wastewater system facility, where it remained present for about one month before discovery and was identified after three SCADA servers displayed a ransomware message. Separate reporting states the Ghost ransomware group has actively targeted known vulnerabilities in unpatched systems, including exploitation of CVE-2024-8963 (Ivanti CSA admin bypass), and has used double-extortion tactics following data exfiltration. The content also notes that Ghost ransomware, also referred to as GhostLocker, continued to evolve after an initial release in October 2023 by GhostSec, a threat actor originally associated with Anonymous and hacktivist operations. Additional content uses 'Ghost campaign' to describe a malicious npm supply-chain operation first observed in early February 2026. In that campaign, trojanized npm packages impersonated helpful developer tools, displayed fake installation logs with bogus dependency downloads, progress bars, and delays, and socially engineered users into entering sudo passwords. After password entry, the packages attempted to deploy a remote access trojan that provided remote control and searched infected systems for cryptocurrency wallets, sensitive personal data, and broader information for exfiltration. Reported package names included react-state-optimizer-core, carbon-mac-copy-cloner@1.1.0, multiple versions of coinbase-desktop-sdk, and a similar package later identified as @openclaw-ai/openclawai. Most variants retrieved instructions from Telegram channels, while coinbase-desktop-sdk version 1.5.19 used teletype.in. Because the source content conflates ransomware and a separate npm malware campaign under the same name, attribution and capabilities should be interpreted carefully by context.