Cybersecurity researchers have discovered a malicious NPM package that masquerades as an OpenCL installer to deploy a Remote Access Trojan (RAT) and steal sensitive data from compromised hosts.
The package, named “@openclaw-ai/openclawai”, was uploaded to the registry on March 3, 2026 by a user named “openclaw-ai”. It has been downloaded 178 times so far. As of the time of writing the library is still available for download.
JFrog, which discovered the package, said it is designed to steal system credentials, browser data, crypto wallets, SSH keys, Apple Keychain database and iMessage history, as well as install a persistent RAT with remote access capabilities, SOCKS5 proxy and live browser session cloning.
“The attack is notable for its extensive data collection, its use of social engineering to obtain the victim’s system passwords, and its persistence and the sophistication of C2. [command-and-control] Infrastructure,’ said security researcher Mittar Palas. ‘Internally, the malware identifies itself as Ghostloader.’
The malicious logic is triggered via a postinstall hook, which reinstalls the package globally using the command: “npm i -g @openclaw-ai/openclawai.” Once installation is complete, the OpenClaw binary points to “scripts/setup.js” via the “bin” property in the “package.json” file.
It’s worth noting that the “bin” field is used to define executable files that should be added to the user’s PATH during package installation. This, in turn, turns the package into a globally accessible command-line tool.
The file “setup.js” serves as the first stage’s dropper, which when run displays a convincing fake command-line interface with animated progress bars, giving the impression that OpenClaw is being installed on the host. After the alleged installation step is completed, the script displays a fake iCloud Keychain authorization prompt, asking users to enter their system password.
Additionally, the script retrieves an encrypted second-stage JavaScript payload from the C2 server (“trackpipe”)[.]dev”), which is then decoded, written to a temporary file, and spawned as a separate child process to run in the background. The temporary file is deleted after 60 seconds to cover up traces of the activity.
“If the Safari directory is inaccessible (no full disk access), the script displays an AppleScript dialog urging the user to grant FDA to Terminal, with step-by-step instructions and a button that directly opens System Preferences,” JFrog explained. “This enables the second-stage payload to steal Apple Notes, iMessage, Safari history, and Mail data.”
The second stage of JavaScript, consisting of approximately 11,700 lines, is a full information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communications, a SOCKS5 proxy, and live browser cloning. It is also equipped to steal a wide range of data –
- macOS Keychain, including local login.keychain-db and all iCloud Keychain databases
- Credentials, cookies, credit card and autofill data from all Chromium-based browsers like Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex and Comet
- Data from desktop wallet applications and browser extensions
- cryptocurrency wallet seed phrase
- ssh key
- Developer and cloud credentials for AWS, Microsoft Azure, Google Cloud, Kubernetes, Docker, and GitHub
- artificial intelligence (AI) agent configuration, and
- Data protected by the FDA, including Apple Notes, iMessage history, Safari browsing history, Mail account configuration, and Apple account information
In the final step, the collected data is compressed into a tar.gz archive and extracted directly through multiple channels including C2 servers, Telegram bot API, and GoFile.io.
Additionally, the malware enters a persistent daemon mode that allows it to monitor the clipboard contents every three seconds and transmit any data that matches one of nine pre-defined patterns corresponding to private key, WIF key, SOL private key, RSA private key, BTC address, Ethereum address, AWS key, OpenAI key, and Strike key.
Other features include monitoring running processes, scanning incoming iMessage chats in real-time, and executing commands sent from the C2 server to run arbitrary shell commands, open a URL on the victim’s default browser, download additional payloads, upload files, start/stop SOCKS5 proxies, list available browsers, clone a browser profile and launch it in headless mode, stop browser clones, self-destruct, and update itself.
The browser cloning function is particularly dangerous because it launches a headless Chromium instance with an existing browser profile that includes cookies, login, and history data. This gives the attacker a fully authenticated browser session without needing to access credentials.
“The @openclaw-ai/openclaw package combines social engineering, encrypted payload delivery, extensive data collection, and a persistent RAT into a single npm package,” JFrog said.
“The polished fake CLI installers and Keychain prompts are enough to extract system passwords from alert developers, and once captured, they unlock credential macOS Keychain decryption and browser credential extraction that would otherwise be blocked by OS-level security.”
