Source: The Hacker News

OpenClaw‑Masquerading npm Package Deploys a Remote Access Trojan

Cybersecurity researchers have discovered a malicious npm package that pretends to be an OpenClaw installer. The package drops a remote‑access trojan (RAT) and steals a wide range of sensitive data from compromised hosts.

---

Package details

The package is advertised as an OpenClaw client, but JFrog found that it is a full‑blown information stealer and RAT.

“The attack is notable for its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 infrastructure,” said security researcher Meitar Palas. “Internally, the malware identifies itself as GhostLoader.” – JFrog blog post

---

How the malicious code is executed

1. Post‑install hook – The postinstall script runs the command

   npm i -g @openclaw-ai/openclawai

   which reinstalls the package globally.

2. bin field – The package.json defines a binary that points to scripts/setup.js.
   The bin field tells npm to create a globally accessible CLI command that is added to the user’s PATH.

3. First‑stage dropper (setup.js) – When executed, it:

   • Shows a fake CLI with animated progress bars to mimic a legitimate OpenClaw installation.
   • Displays a bogus iCloud Keychain authorization prompt that asks the user for the system password.
   • Retrieves an encrypted second‑stage JavaScript payload from the C2 server trackpipe[.]dev.
   • Decodes the payload, writes it to a temporary file, spawns it as a detached child process, and deletes the temp file after 60 seconds.

4. Full‑disk‑access (FDA) handling – If the Safari directory is inaccessible, the script shows an AppleScript dialog that guides the user to grant FDA to Terminal, opening System Preferences automatically.

---

Second‑stage payload

The second‑stage JavaScript file (~11,700 lines) is a complete information‑stealer and RAT framework. Its capabilities include:

• Persistence – Installs a daemon that runs continuously.
• Data collection – Steals credentials, cookies, credit‑card data, and autofill information from all Chromium‑based browsers (Chrome, Edge, Brave, Vivaldi, Opera, Yandex, Comet).
• macOS secrets – Extracts local login.keychain-db, iCloud Keychain databases, Apple Notes, iMessage history, Safari history, Mail configurations, and Apple‑account information.
• Cryptocurrency – Retrieves seed phrases and data from desktop wallet apps and browser extensions.
• SSH keys – Harvests private SSH keys.
• Cloud credentials – AWS, Azure, Google Cloud, Kubernetes, Docker, GitHub tokens.
• AI agent configs – Captures configuration files for AI tools.
• Clipboard monitoring – Every 3 seconds the daemon scans the clipboard and exfiltrates any string that matches one of nine patterns (WIF key, SOL private key, RSA private key, BTC address, Ethereum address, AWS key, OpenAI key, Strike key, generic private key).

Data exfiltration

• The collected data is compressed into a tar.gz archive.

• Exfiltration channels:

  1. Direct HTTP request to the C2 server.
  2. Telegram Bot API.
  3. GoFile.io file‑hosting service.

Additional features

• Real‑time monitoring of running processes.
• Scanning of incoming iMessage chats.
• Remote command execution (run arbitrary shell commands, open URLs, download additional payloads, etc.).

---

Summary

• A malicious npm package (@openclaw-ai/openclawai) pretends to be an OpenClaw client.
• It uses a post‑install hook and the bin field to execute a dropper that tricks users into revealing their system password.
• The dropper fetches an encrypted second‑stage payload that installs a persistent, multi‑function RAT capable of stealing macOS Keychain, browser data, crypto wallets, cloud credentials, AI configs, and FDA‑protected Apple data.
• Exfiltration occurs via HTTP, Telegram, and GoFile.io, while the daemon continuously monitors the clipboard for private keys and other secrets.

Mitigation recommendations

1. Never install unknown npm packages globally (npm i -g …).
2. Audit postinstall scripts and the bin field of any package before installation.
3. Enable npm’s audit and package‑lock verification to detect tampered packages.
4. Restrict Full Disk Access to only trusted applications.
5. Monitor for unexpected binaries in $PATH and for unknown launch daemons on macOS.

Stay vigilant and keep your development environment and production systems locked down against supply‑chain attacks like this one.

Overview

The tool can:

• Upload files
• Start/stop a SOCKS5 proxy
• List available browsers
• Clone a browser profile and launch it in headless mode
• Stop the browser clone
• Self‑destruct
• Update itself

Dangerous Browser‑Cloning Function

The cloning feature is especially risky because it launches a headless Chromium instance using an existing browser profile that contains cookies, login sessions, and browsing history. This gives an attacker a fully authenticated browser session without needing the user’s credentials.

---

Package Details

“The @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, broad data collection, and a persistent RAT into a single npm package,” – JFrog

“The polished fake CLI installer and Keychain prompt are convincing enough to extract system passwords from cautious developers, and once captured, those credentials unlock macOS Keychain decryption and browser credential extraction that would otherwise be blocked by OS‑level protections.”

---

Stay Informed

Found this article interesting? Follow us for more exclusive content:

• Google News:
• Twitter:
• LinkedIn: