A new strain of malware purpose-built to steal crypto wallet data is slipping past every major antivirus engine, according to Apple device security firm Mosyle.

Dubbed ModStealer, the infostealer has been live for nearly a month without detection by virus scanners. Mosyle researchers say the malware is being distributed through malicious recruiter ads targeting developers and uses a heavily obfuscated NodeJS script to bypass signature-based defenses.

That means the malware’s code has been scrambled and layered with tricks that make it unreadable to signature-based antivirus tools. Since these defenses rely on spotting recognizable code “patterns,” the obfuscation hides them, allowing the script to execute without detection.

In practice, this lets attackers slip malicious instructions into a system while bypassing traditional security scans that would usually catch simpler, unaltered code.

Unlike most Mac-focused malware, ModStealer is cross-platform, hitting Windows and Linux environments as well. Its primary mission is that of data exfiltration, and the code is presumed to include pre-loaded instructions to target 56 browser wallet extensions designed to extract private keys, credentials, and certificates.

The malware also supports clipboard hijacking, screen capture, and remote code execution, giving attackers the ability to seize near-total control of infected devices. On macOS, persistence is achieved via Apple’s launching tool, embedding itself as a LaunchAgent.

Mosyle states that the build aligns with the profile of “Malware-as-a-Service,” where developers sell ready-made tools to affiliates with limited technical expertise. The model has driven a surge in infostealers this year, with Jamf reporting a 28% rise in 2025 alone.

The discovery comes on the heels of recent npm-focused attacks where malicious packages like colortoolsv2 and mimelib2 used Ethereum smart contracts to conceal second-stage malware. In both cases, attackers leveraged obfuscation and trusted developer infrastructure to bypass detection.

ModStealer extends this pattern beyond package repositories, showing how cybercriminals are escalating their techniques across ecosystems to compromise developer environments and directly target crypto wallets.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。