https://research.jfrog.com/post/ghostclaw-unmasked
Cybersecurity researchers have identified a malicious npm package masquerading as an OpenClaw installer that deploys a remote access trojan and exfiltrates sensitive data from compromised systems. The package, named @openclaw-ai/openclawai, was uploaded to the npm registry on March 3, 2026 by a user account “openclaw-ai” and has been downloaded 178 times before being removed from the registry on March 10, 2026. JFrog Security Research, which discovered the threat tracked internally as GhostClaw, reports the malware executes through a postinstall hook that globally reinstalls the package using the command “npm i -g @openclaw-ai/openclawai,” enabling the OpenClaw binary to point to a heavily obfuscated first-stage dropper script. When executed, the dropper displays a convincing fake command-line interface featuring animated progress bars and realistic installation messages, culminating in a fraudulent iCloud Keychain authorization prompt that socially engineers users into surrendering their system passwords for up to five authentication attempts.
While the fake installation interface distracts victims, the malware simultaneously retrieves an encrypted second-stage JavaScript payload from the command-and-control server at trackpipe[.]dev, decrypts the content, writes it to a temporary file that is deleted after 60 seconds, and spawns it as a detached background process to evade detection. The 11,700-line second-stage payload functions as a comprehensive information stealer and remote access trojan framework capable of harvesting macOS Keychain databases including local and iCloud credentials, decrypting browser data from all Chromium-based browsers and Firefox using captured system passwords to unlock Chrome’s Safe Storage encryption, cryptocurrency wallet credentials from desktop applications and browser extensions, BIP-39 mnemonic seed phrases scanned from documents on the Desktop and Downloads folders, SSH private keys, and cloud provider credentials for AWS, Azure, Google Cloud, Kubernetes, Docker, and GitHub. On macOS systems where users grant Full Disk Access permissions through additional social engineering dialogs that open System Preferences directly, the malware extracts Apple Notes databases parsed into plaintext, iMessage chat history, Safari browsing records, Mail account configurations, and Apple account information.
The comprehensive data theft operation compresses all stolen information into a tar.gz archive and exfiltrates it through multiple redundant channels including direct HTTP upload to the C2 panel, Telegram Bot API for files under 49MB, and GoFile.io for larger archives with password protection applied via API. After establishing persistence through installation to a hidden .npm_telemetry directory with shell hooks and cron jobs disguised as legitimate npm telemetry services, the malware enters persistent daemon mode featuring clipboard monitoring every three seconds for cryptocurrency private keys, wallet addresses, and API tokens, arbitrary shell command execution with 85-second timeouts, SOCKS5 proxy functionality, and browser session cloning that copies complete browser profiles and launches headless Chromium instances with Chrome DevTools Protocol access relayed to attackers. This attack demonstrates how polished social engineering combined with encrypted payload delivery and operating system-level credential theft can bypass macOS security protections, noting that developers should treat any npm package requesting system credentials, using postinstall scripts for global installation, or fetching remote payloads during installation as highly suspicious and only install OpenClaw from verified official sources.