Fake OpenClaw npm Package Found Delivering RAT and Data-Stealing Malware
Security researchers have uncovered a dangerous npm package posing as an installer for OpenClaw. Instead of installing legitimate software, the package secretly deploys malware designed to steal sensitive information and give attackers remote control of infected systems.
The malicious package, called @openclaw-ai/openclawai, was uploaded to the npm registry on March 3, 2026 by a user operating under the name “openclaw-ai.” According to reports, the package has already been downloaded 178 times and remains accessible on the registry.
Researchers at JFrog, who identified the threat, say the malware is capable of collecting a wide range of sensitive data. This includes system credentials, browser information, cryptocurrency wallet data, SSH keys, Apple Keychain files, and even iMessage conversations. The malware also installs a Remote Access Trojan (RAT) that enables attackers to maintain persistent access to compromised machines.
Security researcher Meitar Palas explained that the malware internally identifies itself as “GhostLoader.” He noted that the attack stands out due to its extensive data-collection abilities, the use of social engineering to trick victims into revealing their system passwords, and the complexity of its command-and-control infrastructure.
Malware Activated During Installation
The malicious code runs automatically through a postinstall script that executes when the package is installed. The script forces a global reinstallation using the command:
npm i -g @openclaw-ai/openclawai
During installation, the package uses the bin field in package.json to link the OpenClaw command to a file called scripts/setup.js. This mechanism allows the package to behave like a globally available command-line tool.
The setup.js file acts as the first stage of the infection. When executed, it displays a realistic command-line interface with animated progress indicators, making it appear as though OpenClaw is installing normally.
Once the fake installation process completes, the script shows a fraudulent iCloud Keychain authorization prompt, asking the user to enter their system password.
Second-Stage Payload Downloaded From Remote Server
While the fake installer is running, the script secretly downloads an encrypted second-stage payload from a remote command-and-control server located at:
trackpipe[.]dev
The payload is decoded and written to a temporary file before being launched as a detached background process. After roughly 60 seconds, the temporary file is deleted to reduce the chances of detection.
If the malware cannot access certain macOS directories due to permission restrictions, it attempts another social engineering trick. It displays an AppleScript dialog instructing the user to grant Full Disk Access (FDA) to the Terminal, complete with instructions and a shortcut that opens macOS System Preferences.
Granting these permissions allows the malware to access sensitive data such as:
- Apple Notes
- iMessage conversations
- Safari browsing history
- Mail account data
Full-Scale RAT and Information Stealer
The second stage of the malware contains nearly 11,700 lines of JavaScript code, forming a complete remote-control and data-stealing framework.
Key capabilities include:
- Persistent system access
- Command-and-control communication
- Browser data extraction
- SOCKS5 proxy functionality
- Live browser session cloning
The malware can steal large amounts of data from compromised systems, including:
- macOS Keychain databases and iCloud Keychain data
- Credentials, cookies, credit cards, and autofill data from Chromium browsers such as Chrome, Edge, Brave, Opera, and others
- Cryptocurrency wallet information and seed phrases
- SSH private keys
- Developer credentials for platforms like AWS, Azure, Google Cloud, Docker, Kubernetes, and GitHub
- AI agent configuration files
- Apple Notes, iMessage history, Safari browsing data, and Mail settings
Data Exfiltration and Clipboard Monitoring
After collecting data, the malware compresses it into a tar.gz archive and sends it to attackers using multiple channels. These include:
- The command-and-control server
- Telegram Bot API
- GoFile.io file hosting service
Once installed, the malware continues running in persistent daemon mode. In this state, it monitors the system clipboard every three seconds. If it detects certain patterns, such as cryptocurrency keys or cloud service credentials, it immediately transmits the information to the attacker.
The malware specifically looks for data patterns linked to:
- Private keys
- Bitcoin and Ethereum addresses
- AWS credentials
- OpenAI API keys
- Strike payment keys
Advanced Capabilities and Browser Session Hijacking
Beyond data theft, the malware can perform several remote actions, including:
- Monitoring running processes
- Scanning incoming iMessage chats in real time
- Executing shell commands
- Opening malicious URLs in the victim’s browser
- Downloading additional malware
- Uploading files from the infected system
- Starting or stopping a SOCKS5 proxy
- Updating or deleting itself
One of the most concerning features is browser cloning. The malware launches a headless Chromium browser using the victim’s existing browser profile, which contains saved cookies and session tokens. This allows attackers to access authenticated accounts without needing passwords.
Growing Threat to Developers
According to JFrog researchers, the attack combines several advanced techniques in a single npm package. The fake installer, password-harvesting prompts, encrypted payload delivery, and persistent RAT functionality make the attack especially dangerous.
The realistic command-line interface and fake macOS prompts can easily deceive even cautious developers, allowing attackers to capture system credentials and bypass operating system protections.