Malicious npm Package Poses as Legitimate Tool to Target Developers

Cybersecurity experts have identified a malicious npm package, "@openclaw-ai/openclawai," masquerading as an OpenClaw installer, which actually installs a remote access tool (RAT) to steal sensitive information. Discovered by JFrog, the package was uploaded on March 3, 2026, and has been downloaded 178 times. It targets login credentials, browser data, crypto wallets, SSH keys, Apple Keychain files, and iMessage history, while also installing a RAT, a SOCKS5 proxy, and enabling live browser session hijacking, collectively termed GhostClaw.

The attack begins with a postinstall hook that globally reinstalls the package, presenting a fake command-line interface to deceive users into providing their system password. Concurrently, it downloads and executes an encrypted secondary program from a control server, which is then deleted to conceal its presence. This secondary program, approximately 11,700 lines long, is a comprehensive tool for data theft and remote access, capable of persistent operation, data collection, browser decryption, and communication with its control server.

The malware compresses stolen data into a tar.gz file and transmits it via various channels, including a control server, Telegram Bot API, and GoFile.io. It also monitors the clipboard for sensitive data patterns and can execute commands from the control server, such as running shell commands, opening URLs, downloading additional programs, and managing a SOCKS5 proxy. Notably, it can clone browser sessions, providing attackers with authenticated access without needing login credentials.

JFrog highlighted the package's use of social engineering, encrypted program delivery, extensive data collection, and a persistent RAT, emphasizing the effectiveness of its fake CLI installer and Keychain prompt in extracting system passwords from cautious developers. The package was removed from the npm registry on March 10, 2026.

Stay secure — stay Wavasec. 🔐