EXECUTIVE SUMMARY
A software supply chain campaign has been identified distributing the PylangGhost Remote Access Trojan (RAT) through malicious npm packages targeting developers and software development environments. The attackers initially publish legitimate package versions to build trust and later introduce obfuscated malicious code in subsequent updates to evade detection.
The malware enables cross-platform remote access across Windows, Linux, and macOS systems, poten-tially allowing attackers to steal sensitive data, credentials, and intellectual property from affected envi-ronments.
- Active Region: Global
- Affected Sector: Software Development, Information Technology, and organizations using open-source dependencies
- Affected Product: npm packages (react-refresh-update, @jaime9008/math-service)
- Severity: High
- Published Date: March 17, 2026
TECHNICAL DETAILS
- Target: Developers, development environments, and downstream systems installing or depending on compromised npm packages, including CI/CD pipelines and production workloads that automatically fetch and execute package updates without adequate validation controls.
- Root Cause: The attack leverages a software supply chain compromise in which threat actors inject obfuscated malicious code into otherwise legitimate npm packages. Contributing factors include insufficient package integrity verification, lack of dependency security scanning, automated package updates without validation, and implicit trust in open-source repositories and package maintainers.
- Prerequisite for Exploitation: Successful exploitation installation or update of infected npm package versions, along with execution of package……
