Cybersecurity researchers have found a malicious npm package deal that masquerades as an OpenClaw installer to deploy a distant entry trojan (RAT) and steal delicate information from compromised hosts.
The package deal, named “@openclaw-ai/openclawai,” was uploaded to the registry by a person named “openclaw-ai” on March 3, 2026. It has been downloaded 178 occasions thus far. The library remains to be out there for obtain as of writing.
JFrog, which found the package deal, mentioned it is designed to steal system credentials, browser information, crypto wallets, SSH keys, Apple Keychain databases, and iMessage historical past, in addition to set up a persistent RAT with distant entry capabilities, SOCKS5 proxy, and dwell browser session cloning.
“The assault is notable for its broad information assortment, its use of social engineering to reap the sufferer’s system password, and the sophistication of its persistence and C2 [command-and-control] infrastructure,” safety researcher Meitar Palas mentioned. “Internally, the malware identifies itself as GhostLoader.”
The malicious logic is triggered by way of a postinstall hook, which re-installs the package deal globally utilizing the command: “npm i -g @openclaw-ai/openclawai.” As soon as the set up is full, the OpenClaw binary factors to “scripts/setup.js” by way of the “bin” property within the “package deal.json” file.
It is value noting that the “bin” discipline is used to outline executable information that must be added to the person’s PATH throughout package deal set up. This, in flip, turns the package deal right into a globally accessible command-line software.
The file “setup.js” serves because the first-stage dropper that, upon operating, shows a convincing pretend command-line interface with animated progress bars to provide the impression that OpenClaw is being put in on the host. After the purported set up step is full, the script exhibits a bogus iCloud Keychain authorization immediate, asking customers to enter their system password.
Concurrently, the script retrieves an encrypted second-stage JavaScript payload from the C2 server (“trackpipe[.]dev”), which is then decoded, written to a short lived file, and spawned as a indifferent youngster course of to proceed operating within the background. The temp file is deleted after 60 seconds to cowl up traces of the exercise.
“If the Safari listing is inaccessible (no Full Disk Entry), the script shows an AppleScript dialog urging the person to grant FDA to Terminal, full with step-by-step directions and a button that opens System Preferences immediately,” JFrog defined. “This allows the second-stage payload to steal Apple Notes, iMessage, Safari historical past, and Mail information.”
The JavaScript second-stage, that includes about 11,700 strains, is a full-fledged data stealer and RAT framework that is able to persistence, information assortment, browser decryption, C2 communication, a SOCKS5 proxy, and dwell browser cloning. It is also geared up to steal a variety of information –
- macOS Keychain, together with each the native login.keychain-db and all iCloud Keychain databases
- Credentials, cookies, bank cards, and autofill information from all Chromium-based browsers, comparable to Google Chrome, Microsoft Edge, Courageous, Vivaldi, Opera, Yandex, and Comet
- Knowledge from desktop pockets purposes and browser extensions
- Cryptocurrency pockets seed phrases
- SSH keys
- Developer and cloud credentials for AWS, Microsoft Azure, Google Cloud, Kubernetes, Docker, and GitHub
- Synthetic intelligence (AI) agent configurations, andÂ
- Knowledge protected by the FDA, together with Apple Notes, iMessage historical past, Safari searching historical past, Mail account configurations, and Apple account data
Within the closing stage, the collected information is compressed right into a tar.gz archive and exfiltrated via a number of channels, together with on to the C2 server, Telegram Bot API, and GoFile.io.
What’s extra, the malware enters a persistent daemon mode that permits it to observe clipboard content material each three seconds and transmit any information that matches one of many 9 pre-defined patterns corresponding to personal keys, WIF key, SOL personal key, RSA personal key, BTC deal with, Ethereum deal with, AWS key, OpenAI key, and Strike key.
Different options embrace retaining tabs on operating processes, scanning incoming iMessage chats in real-time, and executing instructions despatched from the C2 server to run arbitrary shell command, open a URL on the sufferer’s default browser, obtain further payloads, add information, begin/cease a SOCKS5 proxy, listing out there browsers, clone a browser profile and launch it in headless mode, cease the browser clone, self-destruct, and replace itself.
The browser cloning perform is especially harmful because it launches a headless Chromium occasion with the prevailing browser profile that incorporates cookies, login, and historical past information. This provides the attacker a completely authenticated browser session with out the necessity for accessing credentials.
“The @openclaw-ai/openclawai package deal combines social engineering, encrypted payload supply, broad information assortment, and a persistent RAT right into a single npm package deal,” JFrog mentioned.
“The polished pretend CLI installer and Keychain immediate are convincing sufficient to extract system passwords from cautious builders, and as soon as captured, these credentials unlock macOS Keychain decryption and browser credential extraction that might in any other case be blocked by OS-level protections.”
