“`html
A menacing malware operation aimed at software creators has emerged, featuring a deceitful npm package that pretends to be a reliable developer utility to surreptitiously extract credentials, cryptocurrency wallets, SSH keys, browsing sessions, and even iMessage chats.
The package, released under the identifier @openclaw-ai/openclawai, masquerades as a genuine command-line installer known as “OpenClaw Installer” while executing a deeply concealed infection sequence that functions entirely in the background.
Internally, the malware recognizes itself as GhostLoader, although the overarching operation is monitored under the label GhostClaw.
This malware specifically aims at developers utilizing the npm ecosystem as part of their routine tasks.
Upon executing the install command, the package stealthily reinstalls itself globally via a postinstall hook, guaranteeing that the nefarious binary attaches to the system PATH without attracting any suspicion.
At that moment, the binary directs to setup.js, the obfuscated initial-stage dropper that initiates the complete infection sequence.
This degree of deceit effectively illustrates how meticulously the perpetrators designed GhostClaw to seamlessly integrate with standard development tools from the outset.
JFrog Security investigators uncovered this harmful npm package on March 8, 2026, while vigilantly observing the npm registry for dubious activity patterns.
Researcher Meitar Palas meticulously recorded the entire extent of the assault, detailing its multi-stage payload structure, social engineering tactics, and a persistent remote access framework capable of providing the attacker long-term, undetected access to the compromised developer system.
What renders GhostClaw particularly concerning is the vast array of data it gathers. From system passwords and macOS Keychain databases to cloud credentials saved in AWS, GCP, and Azure configuration files, the malware leaves nearly no aspect unscathed.
It additionally probes desktop directories for BIP-39 cryptocurrency seed phrases, captures all passwords and credit card details stored in various Chromium-based browsers, and seizes iMessage history whenever it manages to gain Full Disk Access on macOS.
The assault does not confine itself to a single platform. GhostClaw targets developers on macOS, Linux, and Windows, adjusting its credential verification method according to the operating system it infiltrates.
This cross-platform capability, coupled with well-crafted evasion and persistence strategies, unmistakably positions it as one of the most comprehensive and perilous developer-targeting threats observed on the npm registry in recent times.
Social Engineering at the Core
The most notable aspect of the GhostClaw infection sequence is how it deceives developers into willingly providing their system passwords.
.webp)
After a developer executes the install command, the initial-stage dropper, setup.js, showcases a believable fake CLI installer complete with animated progress indicators and realistic system log outputs.
Once the progress display concludes, the script swiftly presents a dialog that is designed to resemble a native macOS Keychain authorization request, prompting the user to enter their admin password to finalize a “secure vault initialization.”
.webp)
The attacker permits up to five password attempts, verifying each one against the genuine operating system’s authentication system, ensuring that an incorrect entry results in an indistinguishably authentic failure notification.
While the victim interacts with this dialog, the script concurrently retrieves the second-stage payload from the attacker’s command-and-control server at trackpipe[.]dev, decoding it using AES-256-GCM encryption with a corresponding key delivered in the same server reply.
The fully decoded payload — approximately 11,700 lines of JavaScript — constitutes the complete GhostLoader framework, which then installs itself deeply within a hidden directory disguised as a typical npm telemetry service, quietly commencing the harvest of everything it can access on the compromised system.
Developers who installed this package are advised to eliminate the .npm_telemetry directory, inspect shell configuration files such as ~/.zshrc, ~/.bashrc, and ~/.bash_profile for injected hook entries, terminate any active monitor.js processes, and completely uninstall the package.
All credentials — including system passwords, SSH keys, API tokens for AWS, GCP, Azure, OpenAI, Stripe, and GitHub, along with any exposed cryptocurrency wallet seed phrases — must be immediately rotated.
Active browser sessions on Google, GitHub, and any other platforms should be revoked to prevent unauthorized entry. Considering the profound extent to which this malware embeds itself, a complete system re-image is highly recommended.
“`