Cybersecurity researchers have uncovered a malicious npm package that masquerades as an OpenClaw installer, designed to deploy a remote access trojan (RAT) and extract sensitive information from compromised macOS systems. The package, identified as @openclaw-ai/openclawai, was uploaded to the npm registry on March 3, 2026, by a user named openclaw-ai and has been downloaded 178 times as of the latest report.
Functionality and Mechanism of the Malware
The malicious package is still available for download. According to JFrog, which discovered the package, it is engineered to steal various types of data, including system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history. The malware installs a persistent RAT that provides remote access capabilities, a SOCKS5 proxy, and the ability to clone live browser sessions.
Technical Details of the Attack
The attack employs a sophisticated method to trigger its malicious logic through a postinstall hook, which reinstalls the package globally using the command: npm i -g @openclaw-ai/openclawai. After installation, the OpenClaw binary directs to scripts/setup.js, which acts as the initial dropper. This script presents a convincing fake command-line interface with animated progress bars, simulating a legitimate installation process.
Once the installation appears complete, the script prompts users for their system password via a fake iCloud Keychain authorization dialog. Concurrently, it retrieves an encrypted second-stage JavaScript payload from a command-and-control (C2) server, which is then decoded and executed in the background.
Data Theft and Persistence Mechanisms
The second-stage payload, comprising approximately 11,700 lines of code, functions as a comprehensive information stealer and RAT framework. It is capable of collecting a wide array of data, including:
- macOS Keychain data
- Credentials and cookies from various Chromium-based browsers
- Data from desktop wallet applications
- Developer credentials for cloud services
- Data protected by Full Disk Access (FDA)
In its final phase, the malware compresses the stolen data into a tar.gz archive and exfiltrates it through multiple channels, including direct transmission to the C2 server and the Telegram Bot API.
The malware also operates in a persistent daemon mode, monitoring clipboard content and scanning incoming iMessage chats in real time. It can execute commands from the C2 server, including running arbitrary shell commands and launching a headless browser instance that retains the victim’s existing browser profile.
Conclusion and Implications
The @openclaw-ai/openclawai package exemplifies a sophisticated blend of social engineering and technical prowess, capable of extracting sensitive information from unsuspecting users. As it combines multiple attack vectors and persistence mechanisms, it poses a significant risk to macOS users who may inadvertently install it.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
