Cybersecurity researchers have uncovered a malicious npm package that impersonates an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive information from infected macOS systems.

The package, named @openclaw-ai/openclawai, was uploaded to the npm registry by a user called “openclaw-ai” on March 3, 2026. Before being discovered, it had been downloaded 178 times.

Researchers from JFrog, who identified the malicious package, reported that it is capable of stealing a wide range of sensitive information including system credentials, browser data, cryptocurrency wallets, SSH keys, Apple Keychain databases, and iMessage history. The malware also installs a persistent RAT that enables remote control, SOCKS5 proxy capabilities, and live browser session cloning.

Security researchers are tracking the activity under the name GhostClaw, while the malware internally refers to itself as GhostLoader.

How the Attack Works

The malicious functionality is triggered through a postinstall hook that automatically runs during package installation. This hook silently re-installs the package globally using the command:

npm i -g @openclaw-ai/openclawai

After installation, the package uses the bin property in the package.json file to execute a script called scripts/setup.js, which acts as the first-stage dropper.

When executed, the script displays a fake command-line installer complete with animated progress bars, making it appear as though OpenClaw is being installed on the system. After the fake installation finishes, the script displays a bogus iCloud Keychain authorization prompt, requesting the user’s system password.

At the same time, the script downloads an encrypted second-stage payload from the command-and-control (C2) server trackpipe[.]dev. The payload is decrypted, written to a temporary file, and launched as a background process. The temporary file deletes itself after 60 seconds to hide traces of the infection.

Requesting Full Disk Access

If the script cannot access the Safari directory due to missing permissions, it displays an AppleScript dialog instructing the user to grant Full Disk Access (FDA) to Terminal. The prompt includes step-by-step instructions and a button that opens System Preferences.

Once granted, the malware gains access to sensitive data such as Apple Notes, iMessage history, Safari browsing history, and Mail data.

Capabilities of the Second-Stage Malware

The second-stage JavaScript payload contains roughly 11,700 lines of code and functions as a full-featured information stealer and RAT framework.

The malware can collect and steal data including:

  • macOS Keychain databases, including iCloud Keychain
  • Credentials, cookies, credit cards, and autofill data from Chromium-based browsers (Chrome, Edge, Brave, Opera, Vivaldi, Yandex, Comet)
  • Cryptocurrency wallet data and seed phrases
  • SSH keys
  • Developer and cloud credentials (AWS, Azure, Google Cloud, Kubernetes, Docker, GitHub)
  • AI agent configurations
  • Apple Notes, iMessage history, Safari history, and Mail configurations

Data Exfiltration and Persistence

After collecting the data, the malware compresses it into a tar.gz archive and exfiltrates it through multiple channels, including:

  • The attacker’s command-and-control server
  • Telegram Bot API
  • GoFile.io file hosting service

The malware then switches to a persistent daemon mode that monitors the system clipboard every three seconds. It automatically sends any detected sensitive patterns, such as:

  • Cryptocurrency private keys
  • Bitcoin and Ethereum addresses
  • AWS keys
  • OpenAI API keys
  • RSA private keys

Advanced Remote Control Features

The RAT also allows attackers to:

  • Execute arbitrary shell commands
  • Open URLs on the victim’s browser
  • Download and run additional payloads
  • Upload files
  • Start or stop a SOCKS5 proxy
  • Monitor running processes
  • Scan iMessage conversations in real time
  • Clone browser profiles and launch them in headless mode
  • Self-destruct or update itself

One particularly dangerous feature is browser session cloning, which launches a headless Chromium instance using the victim’s existing browser profile. This allows attackers to access already authenticated sessions without needing login credentials.

Package Removed

Following disclosure, the malicious @openclaw-ai/openclawai package was removed from the npm registry on March 10, 2026.

Security experts warn that the attack highlights the growing risk of software supply chain attacks targeting developers, where malicious packages disguise themselves as legitimate tools to gain access to sensitive systems and data.

 Don’t miss updates! Follow us on Twitter Facebook. 🔔