Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts.
The package named ‘@openclaw-ai/openclawai’ was uploaded to the registry on March 3, 2026 by a user named ‘openclaw-ai’. It has been downloaded 178 times so far. This library is still available for download at the time of writing.
JFrog, which discovered the package, said it is designed to steal system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, iMessage history, as well as install a persistent RAT with remote access capabilities, SOCKS5 proxies, and live browser session cloning.
“This attack is notable for its extensive data collection, use of social engineering to collect victims’ system passwords, and its persistence and C2 sophistication. [command-and-control] “Internally, the malware identifies itself as GhostLoader,” security researcher Meital Paras said.
The malicious logic is triggered by a post-installation hook and reinstalls the package globally using the command ‘npm i -g @openclaw-ai/openclawai’. Once installed, the OpenClaw binary points to “scripts/setup.js” by the “bin” property of the “package.json” file.
Note that the “bin” field is used to define executable files that should be added to the user’s PATH during package installation. This turns the package into a globally accessible command line tool.
The file ‘setup.js’ acts as a first stage dropper and when executed displays a convincing fake command line interface with an animated progress bar giving the impression that OpenClaw is being installed on the host. Once the intended installation step is complete, the script displays a fake iCloud Keychain authentication prompt and asks the user to enter their system password.
At the same time, the script retrieves an encrypted second-stage JavaScript payload from the C2 server (a “trackpipe”[.]dev”) is decoded, written to a temporary file, and spawned as a detached child process that continues to run in the background. The temporary file is deleted after 60 seconds to hide any trace of the activity.
“If the Safari directory is not accessible (no full disk access), the script displays an AppleScript dialog that prompts the user to authorize FDA in Terminal. This dialog includes step-by-step instructions and a button that opens System Preferences directly,” JFrog explained. “This allows the second stage payload to steal Apple Notes, iMessages, Safari history, and email data.”
Featuring approximately 11,700 lines of JavaScript, the second stage is a full-fledged information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, SOCKS5 proxies, and live browser cloning. It also has the ability to steal a wide range of data –
macOS keychain, including both the local login.keychain-db and all iCloud keychain databases Credentials, cookies, credit cards, and autofill data from all Chromium-based browsers, including Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex, and Comet Data from desktop wallet applications and browser extensions Seed phrases for cryptocurrency wallets SSH keys AWS, Microsoft Azure, and Google Cloud Developer and cloud credentials for Kubernetes, Docker, GitHub artificial intelligence (AI) agent configuration, and data protected by the FDA, such as Apple Notes, iMessage history, Safari browsing history, email account configuration, and Apple account information.
In the final stage, the collected data is compressed into a tar.gz archive and extracted through multiple channels, including C2 servers, Telegram Bot API, and direct submission to GoFile.io.
In addition, the malware enters persistent daemon mode, monitors the contents of the clipboard every three seconds, and is able to send data matching one of nine predefined patterns corresponding to private keys, WIF keys, SOL private keys, RSA private keys, BTC addresses, Ethereum addresses, AWS keys, OpenAI keys, and Strike keys.
Other features include monitoring running processes, real-time scanning of incoming iMessage chats, executing arbitrary shell commands sent by the C2 server, opening URLs in the victim’s default browser, downloading additional payloads, uploading files, starting/stopping SOCKS5 proxies, listing available browsers, cloning browser profiles and starting in headless mode, stopping browser cloning, self-destructing, and updating the browser itself.
The browser cloning feature is particularly dangerous because it launches a headless Chromium instance using your existing browser profile, including cookies, logins, and historical data. This allows an attacker to gain a fully authenticated browser session without accessing your credentials.
“The @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, extensive data collection, and persistent RAT into a single npm package,” JFrog said.
“Sophisticated fake CLI installers and keychain prompts are convincing enough to extract system passwords from wary developers. Additionally, once obtained, these credentials unlock macOS keychain decryption and browser credential extraction that would have been blocked by OS-level protections.”
Source link
