A malicious npm package is targeting developers by posing as a legitimate command-line tool while secretly deploying an infostealer and a remote access trojan (RAT).
The package, @openclaw-ai/openclawai, masquerades as an OpenClaw Installer utility but instead initiates a multi-stage malware operation.
Once executed, it attempts to steal credentials, cryptocurrency wallets, SSH keys, browser data, and developer tokens.
“The attack is notable for its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 infrastructure,” said JFrog researchers.
Breaking Down the GhostClaw Attack Chain
The malicious package was carefully designed to resemble a legitimate developer utility.
Its package.json configuration appears normal, and the exposed source code includes harmless functions meant to reassure anyone casually reviewing the package.
Malicious code is embedded in installation scripts that execute automatically during setup, allowing attackers to establish a foothold without raising immediate suspicion.
During installation, a postinstall script silently reinstalls the package globally on the victim’s system, ensuring the malicious binary is added to the system’s PATH.
Fake Installer and Credential Phishing Stage
When the user later runs the openclaw command, the system launches an obfuscated setup script that acts as the first stage of the malware.
The script displays a convincing fake command-line installer interface, complete with animated progress bars, loading spinners, and system log messages intended to mimic legitimate software installation output.
Once the fake installation appears to finish, the program presents a fraudulent Keychain authorization prompt requesting the user’s system password, claiming that administrator privileges are required to securely initialize the tool.
Unlike typical phishing prompts, the malware validates password attempts using the operating system’s real authentication mechanisms.
This allows the prompt to behave like a genuine system request, making the deception more convincing.
While the victim attempts to authenticate, the script simultaneously retrieves an encrypted second-stage payload from attacker-controlled infrastructure.
The payload is delivered through an encrypted request and decrypted locally using AES-256-GCM.
Once decrypted, the code is written to a temporary file and executed as a background process, allowing the malware to run while the installation appears to complete normally.
GhostLoader Installs Persistence
The second stage of the attack — internally referred to as GhostLoader — is a large JavaScript bundle that functions as both an information stealer and a persistent RAT.
After execution, the malware installs itself into a hidden directory designed to resemble a legitimate npm telemetry service, helping it blend into normal developer system activity.
To maintain persistence, the malware modifies shell configuration files such as .zshrc, .bashrc, and related profiles.
These modifications ensure that the malware automatically launches whenever a new terminal session is opened. On Linux systems, the malware may also create cron jobs to guarantee it runs again after system reboots.
Malware Steals Developer Credentials and Sensitive Data
During its first execution, the malware collects a wide range of sensitive information commonly stored on developer systems.
This includes macOS Keychain and iCloud keychains, browser credentials and stored payment data, cryptocurrency wallets and recovery seed phrases, SSH private keys, cloud provider credentials for AWS, Azure, and GCP, and developer tokens such as GitHub CLI credentials and npm configuration files.
If the user grants macOS Full Disk Access, the malware expands its collection capabilities even further. In those cases, it can harvest Apple Notes, iMessage chat history, Safari browsing data, and Apple Mail account configuration information.
Once collected, the stolen data is compressed into an archive and exfiltrated to attacker infrastructure through multiple channels.
These include direct uploads to C2servers as well as secondary channels such as Telegram bots and cloud file-sharing platforms, providing redundancy if one exfiltration path fails.
Persistent Access and Browser Session Hijacking
After completing the initial data theft phase, the malware transitions into a persistent monitoring mode.
The infected system periodically communicates with the attacker’s C2 server to receive instructions and maintain ongoing access.
From there, attackers can issue commands to execute arbitrary shell commands, retrieve files from the system, deploy updated malware payloads, or enable a SOCKS5 proxy that allows the compromised machine to be used as a relay for additional network activity.
One notable capability is browser session cloning.
The malware copies a victim’s browser profile and launches a headless browser connected to the attacker through the Chrome DevTools Protocol, giving the attacker an authenticated session that allows them to access websites and services as the victim.
Because the sessions reuse existing authentication tokens and cookies, attackers can often access accounts without needing passwords or bypassing multifactor authentication (MFA).
How to Reduce Risk From Malicious Dependencies
The following measures can help organizations reduce the risk of malicious dependencies compromising development systems and exposing sensitive credentials.
- Verify package authenticity before installing new dependencies, especially those with names similar to legitimate projects, and install packages from verified publishers or trusted internal registries.
- Use DevSecOps tools, including dependency scanning and SCA, to detect malicious packages, suspicious install behaviors, and vulnerable dependencies before they reach development pipelines.
- Restrict or disable npm postinstall scripts and global package installations where possible to prevent packages from executing hidden installation logic or placing malicious binaries on the system PATH.
- Monitor developer endpoints for suspicious activity such as unexpected Node.js processes, detached child processes, unusual network connections, or unauthorized modifications to shell configuration files.
- Enforce strong authentication and secure storage practices, and rotate system passwords, SSH keys, API tokens, and cloud credentials immediately if exposure is suspected.
- Implement network monitoring and egress controls to detect or block unusual outbound connections, large data exfiltration attempts, or communications with suspicious infrastructure such as Telegram APIs or unknown domains.
- Regularly test incident response plans through tabletop exercises around software supply chain compromise scenarios.
Collectively, these measures help organizations strengthen resilience against supply chain threats while limiting the potential blast radius if a malicious dependency is introduced into development environments.
Rising Risk in Open-Source Dependencies
The GhostClaw campaign highlights a growing trend in which attackers target developer ecosystems and open-source package registries as entry points into enterprise environments.
By disguising malware as legitimate development tools, these threats can evade traditional security checks and access sensitive credentials, cloud resources, and internal systems.
This trend underscores the broader importance of software supply chain security, as organizations work to protect development pipelines and dependencies from malicious code.
