On March 3, 2026, a user named openclaw-ai uploaded a package to the npm registry. It had a clean name, a plausible purpose, and a working installation flow. By the time researchers found it, the package had been downloaded 178 times.
The package, @openclaw-ai/openclawai, presents itself as an installer for OpenClaw, an AI tool. It is not. According to the report, it deploys a remote access trojan, steals macOS credentials, and exfiltrates data through at least three separate channels. Security firm JFrog, which discovered it, is tracking the operation under the name GhostClaw. Internally, the malware calls itself GhostLoader.
The mechanism begins with a postinstall hook — a standard npm feature — that immediately reinstalls the package globally. This elevates it into a system-wide command accessible from anywhere on the machine. The entry point, setup.js, then launches a convincing fake command-line interface complete with animated progress bars, performing theater while the real work begins underneath.
The Password Prompt Is the Point
Once the fake installation sequence completes, the script produces a bogus iCloud Keychain authorization dialog and asks the user for their system password. At the same moment, it contacts the command-and-control server at trackpipe[.]dev to retrieve an encrypted second-stage JavaScript payload. That payload is decoded, written to a temporary file, and launched as a detached background process. The temp file is deleted after 60 seconds.
The second-stage payload runs to approximately 11,700 lines of code. It is, according to JFrog, a full-fledged information stealer and RAT framework. It handles persistence, browser decryption, clipboard monitoring, SOCKS5 proxy operation, and live browser session cloning.
That last capability is particularly consequential. The malware can launch a headless Chromium instance loaded with the victim’s existing browser profile — cookies, login sessions, history intact — giving an attacker a fully authenticated session without ever needing a password.
More Read
Nine Patterns, Three Exfiltration Channels
In persistent daemon mode, the malware monitors clipboard content every three seconds, scanning for nine pre-defined data patterns: private keys, WIF keys, SOL private keys, RSA private keys, BTC addresses, Ethereum addresses, AWS keys, OpenAI keys, and Strike keys. Any match is transmitted immediately.
Collected data is compressed into a tar.gz archive and sent through multiple routes simultaneously — directly to the C2 server, through the Telegram Bot API, and via GoFile.io. The malware also scans incoming iMessage chats in real time and can execute arbitrary shell commands, download additional payloads, upload files, open URLs in the victim’s browser, and self-destruct or update itself on instruction from the C2.
If the malware finds it cannot access Safari’s directory due to Full Disk Access restrictions, it generates an AppleScript dialog with step-by-step instructions urging the user to grant terminal access — including a button that opens System Preferences directly.
Researcher Meitar Palas of JFrog described the attack as notable for “its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 infrastructure.” The package remained available for download at the time of the report.
Photo by Lucas Andrade on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
