A dangerous malware campaign targeting software developers has surfaced, with a rogue npm package posing as a trusted developer tool to silently drain credentials, crypto wallets, SSH keys, browser sessions, and even iMessage conversations.
The package, published under the name @openclaw-ai/openclawai, disguises itself as a legitimate command-line installer called “OpenClaw Installer” while deploying a deeply hidden infection chain operating entirely in the background.
Internally, the malware identifies itself as GhostLoader, though the broader campaign is tracked under the name GhostClaw.
The malware specifically targets developers who rely on the npm ecosystem as part of their daily workflows.
Once a developer runs the install command, the package quietly re-installs itself globally through a postinstall hook, ensuring the malicious binary lands on the system PATH without drawing any attention.
From that point, the binary points to setup.js, the obfuscated first-stage dropper that kicks off the full infection chain.
This level of deception clearly reveals how carefully the attackers engineered GhostClaw to blend in with ordinary development tooling from the very start.
JFrog Security researchers identified this malicious npm package on March 8, 2026, while actively monitoring the npm registry for suspicious behavior patterns.
Researcher Meitar Palas carefully documented the full scope of the attack, covering its multi-stage payload architecture, social engineering mechanisms, and a persistent remote access framework capable of giving the attacker long-term, undetected access to the compromised developer machine.
What makes GhostClaw especially alarming is the sheer range of data it collects. From system passwords and macOS Keychain databases to cloud credentials stored in AWS, GCP, and Azure configuration files, the malware leaves virtually nothing untouched.
It also scans desktop folders for BIP-39 cryptocurrency seed phrases, captures all browser-saved passwords and credit cards across multiple Chromium-based browsers, and grabs iMessage history when it can obtain Full Disk Access on macOS.
The attack does not limit itself to a single platform. GhostClaw targets macOS, Linux, and Windows developers alike, adapting its credential validation method to match whichever operating system it lands on.
This cross-platform reach, combined with well-designed evasion and persistence techniques, clearly makes it one of the more complete and dangerous developer-targeting threats seen on the npm registry in recent years.
Social Engineering at the Core
The most striking part of the GhostClaw infection chain is how it tricks developers into willingly handing over their system passwords.
OpenClaw installer (Source – JFrog)
After a developer runs the install command, the first-stage dropper, setup.js, presents a convincing fake CLI installer complete with animated progress bars and realistic system log output.
Once the progress display finishes, the script immediately shows a dialog designed to look exactly like a native macOS Keychain authorization prompt, asking the user to enter their administrator password to complete a “secure vault initialization.”
GhostLoader (Source – JFrog)
The attacker allows up to five password attempts, validating each one against the real operating system’s authentication mechanism so that an incorrect entry produces an authentic-looking failure message.
While the victim interacts with this dialog, the script simultaneously fetches the second-stage payload from the attacker’s command-and-control server at trackpipe[.]dev, decoding it using AES-256-GCM encryption with a matching key delivered in the same server response.
The fully decrypted payload — roughly 11,700 lines of JavaScript — forms the complete GhostLoader framework, which then installs itself deep into a hidden directory disguised as a routine npm telemetry service and quietly begins harvesting everything it can reach on the compromised machine.
Developers who installed this package should remove the .npm_telemetry directory, check shell configuration files such as ~/.zshrc, ~/.bashrc, and ~/.bash_profile for injected hook lines, terminate any running monitor.js processes, and fully uninstall the package.
All credentials — including system passwords, SSH keys, API tokens for AWS, GCP, Azure, OpenAI, Stripe, and GitHub, along with any exposed crypto wallet seed phrases — must all be rotated immediately.
Active browser sessions on Google, GitHub, and any other platform should be revoked to prevent unauthorized access. Given the depth at which this malware embeds itself, a complete system re-image is strongly recommended.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post GhostClaw Mimic as OpenClaw to Steal Everything from Developers appeared first on Cyber Security News.
