Malicious npm Package Masquerades as OpenClaw Installer, Deploys RAT to Steal macOS Credentials
Cybersecurity researchers have identified a malicious npm package that disguises itself as an OpenClaw installer, deploying a remote access trojan (RAT) to extract sensitive data from compromised systems. The package, titled “@openclaw-ai/openclawai,” was uploaded to the npm registry on March 3, 2026, by a user named “openclaw-ai.” To date, it has been downloaded 178 times and remains available for download.
Discovery and Capabilities of the Malicious Package
JFrog, the cybersecurity firm that uncovered the package, reported that it is engineered to steal various forms of sensitive information. This includes system credentials, browser data, cryptocurrency wallets, SSH keys, Apple Keychain databases, and iMessage history. The malware operates under the name GhostClaw and is designed to install a persistent RAT with capabilities such as remote access, SOCKS5 proxy functionality, and live browser session cloning.
Security researcher Meitar Palas noted that the attack is significant due to its extensive data collection methods, the use of social engineering to obtain the victim’s system password, and the sophistication of its persistence and command-and-control (C2) infrastructure. Internally, the malware refers to itself as GhostLoader.
Mechanism of Infection
The malicious behavior is initiated through a postinstall hook that reinstalls the package globally using the command “npm i -g @openclaw-ai/openclawai.” After installation, the OpenClaw binary directs to “scripts/setup.js” as specified in the “bin” property of the “package.json” file. The “bin” field is crucial as it defines executable files that are added to the user’s PATH during installation, effectively transforming the package into a globally accessible command-line tool.
The “setup.js” file acts as the first-stage dropper. When executed, it presents a convincing fake command-line interface with animated progress bars, simulating the installation of OpenClaw. Following this, the script prompts users with a counterfeit iCloud Keychain authorization request, asking for their system password.
Simultaneously, the script retrieves an encrypted second-stage JavaScript payload from the C2 server, “trackpipe[.]dev.” This payload is then decoded, written to a temporary file, and executed as a detached child process, allowing it to run in the background. The temporary file is deleted after 60 seconds to obscure any traces of the activity.
Data Theft and Exfiltration
If the Safari directory is inaccessible due to lack of Full Disk Access, the script displays an AppleScript dialog urging the user to grant such access to Terminal, providing step-by-step instructions and a button that opens System Preferences directly. This enables the second-stage payload to extract Apple Notes, iMessage, Safari history, and Mail data.
The second-stage JavaScript, comprising approximately 11,700 lines, functions as a comprehensive information stealer and RAT framework. It is capable of persistence, data collection, browser decryption, C2 communication, SOCKS5 proxy operation, and live browser cloning. The data it can steal includes:
- macOS Keychain data, including local and iCloud databases
- Credentials, cookies, credit card information, and autofill data from Chromium-based browsers such as Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex, and Comet
- Data from desktop wallet applications and browser extensions
- Cryptocurrency wallet seed phrases
- SSH keys
- Developer and cloud credentials for platforms like AWS, Microsoft Azure, Google Cloud, Kubernetes, Docker, and GitHub
- Configurations for artificial intelligence agents
- Data protected by Full Disk Access, including Apple Notes, iMessage history, Safari browsing history, Mail account configurations, and Apple account information
In the final stage, the collected data is compressed into a tar.gz archive and exfiltrated through various channels, including direct transmission to the C2 server, the Telegram Bot API, and GoFile.io.
Persistent Monitoring and Additional Features
The malware also enters a persistent daemon mode, allowing it to monitor clipboard content every three seconds. It transmits any data matching predefined patterns related to private keys, WIF keys, SOL private keys, RSA private keys, Bitcoin addresses, Ethereum addresses, AWS keys, OpenAI keys, and Strike keys.
Additional functionalities include monitoring running processes, scanning incoming iMessage chats in real-time, and executing commands received from the C2 server. These commands can run arbitrary shell commands, open URLs in the victim’s default browser, download additional payloads, upload files, start or stop a SOCKS5 proxy, list available browsers, clone a browser profile and launch it in headless mode, self-destruct, and update itself.
The browser cloning feature is particularly alarming, as it launches a headless Chromium instance using the existing browser profile, which contains cookies, login information, and browsing history. This allows attackers to gain a fully authenticated browser session without needing to access credentials.
JFrog emphasized that the @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, extensive data collection, and a persistent RAT into a single npm package. The convincing fake CLI installer and Keychain prompt are sufficient to extract system passwords from cautious developers. Once these credentials are captured, they enable access to macOS Keychain decryption and browser credential extraction, circumventing OS-level protections.
Update on the Malicious Package
The @openclaw-ai/openclawai package has been removed from the npm registry as of March 10, 2026.
For further details, refer to the original reporting by thehackernews.com.
