PANews|Mar 23, 2026 01:24
[Malware GhostClaw Steals Developers' Crypto Wallet Data via npm Package]
According to Cryptopolitan, a new malware named GhostClaw is targeting crypto wallets on macOS devices. The malware disguises itself as a legitimate OpenClaw CLI tool and was present in the npm registry for one week. It infected 178 developers before being removed on March 10. Once a developer runs the 'npm install' command, a hidden script globally installs the GhostClaw package and evades detection through obfuscated configuration files.
GhostClaw scans the clipboard every three seconds, capturing private keys, mnemonic phrases, public keys, and other crypto wallet and transaction-related data. After downloading the second-stage payload, GhostLoader scans Chromium browsers, macOS Keychain, and system storage for crypto wallet data, clones browser sessions to gain access to logged-in wallets, and steals API tokens connected to AI platforms such as OpenAI and Anthropic. The stolen data is sent to attackers via Telegram, GoFile, and command servers.
Share To
Timeline
HotFlash
APP
X
Telegram
CopyLink