Malware GhostClaw steals developers' encrypted wallet data through npm packages

According to Cryptopolitan, a new type of malware called GhostClaw is targeting cryptocurrency wallets on macOS devices.

This malware disguised itself as a legitimate OpenClaw CLI tool and was present in the npm registry for a week before being removed after infecting 178 developers. Once developers run the "npm install" command, a hidden script globally installs the GhostClaw package and evades detection through obfuscated configuration files. GhostClaw scans the clipboard every three seconds, capturing private keys, seed phrases, public keys, and other cryptocurrency wallet and transaction-related data.

After the second stage payload is downloaded, GhostLoader scans for cryptocurrency wallet data in the Chromium browser, macOS Keychain, and system storage, clones browser sessions to gain access to logged-in wallets, and steals API Tokens that connect to AI platforms such as OpenAI and Anthropic. The stolen data is sent to the attackers via Telegram, GoFile, and command servers.