Ethical Hacking News
A recent discovery has revealed a malicious npm package that can deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. The @openclaw-ai/openclawai package was uploaded to the registry by a user named "openclaw-ai" on March 3, 2026, and has been downloaded 178 times to date. This malicious software is capable of stealing system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, among other sensitive information.
The attack uses social engineering to harvest the victim's system password, making it particularly convincing and difficult to detect. JFrog discovered the package, which includes a persistent RAT with remote access capabilities, SOCKS5 proxy, and live browser session cloning. The discovery highlights the importance of keeping software up-to-date and being aware of the packages you install on your systems.
The malicious npm package "openclawai" has been downloaded 178 times despite being available since March 3, 2026. The package steals system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history. The attack uses social engineering to harvest the victim's system password and has sophisticated persistence and C2 infrastructure. The malicious logic is triggered by a postinstall hook that re-installs the package globally using npm. The attack also features a JavaScript second-stage payload with around 11,700 lines of code, capable of persistence, data collection, and browser decryption.
The cybersecurity landscape is constantly evolving, and one of the most recent and concerning developments is the discovery of a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. The package, named "@openclaw-ai/openclawai," was uploaded to the registry by a user named "openclaw-ai" on March 3, 2026. It has been downloaded 178 times to date, despite being available for download as of writing.
The @openclaw-ai/openclawai package is designed to steal system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, as well as install a persistent RAT with remote access capabilities, SOCKS5 proxy, and live browser session cloning. The attack is notable for its broad data collection, its use of social engineering to harvest the victim's system password, and the sophistication of its persistence and C2 (command-and-control) infrastructure.
The malicious logic is triggered by means of a postinstall hook, which re-installs the package globally using the command: "npm i -g @openclaw-ai/openclawai." Once the installation is complete, the OpenClaw binary points to "scripts/setup.js" by means of the "bin" property in the "package.json" file. The "bin" field is used to define executable files that should be added to the user's PATH during package installation, turning the package into a globally accessible command-line tool.
The file "setup.js" serves as the first-stage dropper that, upon running, displays a convincing fake command-line interface with animated progress bars to give the impression that OpenClaw is being installed on the host. After the purported installation step is complete, the script shows a bogus iCloud Keychain authorization prompt, asking users to enter their system password. Simultaneously, the script retrieves an encrypted second-stage JavaScript payload from the C2 server ("trackpipe[.]dev"), which is then decoded, written to a temporary file, and spawned as a detached child process to continue running in the background.
The temp file is deleted after 60 seconds to cover up traces of the activity. If the Safari directory is inaccessible (no Full Disk Access), the script displays an AppleScript dialog urging the user to grant FDA to Terminal, complete with step-by-step instructions and a button that opens System Preferences directly. This enables the second-stage payload to steal Apple Notes, iMessage, Safari history, and Mail data.
The JavaScript second-stage, featuring about 11,700 lines, is a full-fledged information stealer and RAT framework that's capable of persistence, data collection, browser decryption, C2 communication, a SOCKS5 proxy, and live browser cloning. It's also equipped to steal a wide range of data, including system passwords, cookies, credit card numbers, and autofill data from all Chromium-based browsers, such as Google Chrome, Microsoft Edge, Brave, Vivaldi, Opera, Yandex, and Comet.
The attack is notable for its broad data collection capabilities, and the sophistication of its persistence and C2 infrastructure. The use of social engineering to harvest the victim's system password makes it particularly convincing and difficult to detect. JFrog, which discovered the package, said that "the polished fake CLI installer and Keychain prompt are convincing enough to extract system passwords from cautious developers."
The discovery of this malicious npm package highlights the importance of keeping software up-to-date and being aware of the packages you install on your systems. It also emphasizes the need for robust security measures, including regular software updates and secure coding practices, to prevent similar attacks in the future.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Open-Source-Malware-Threat-How-the-openclaw-aiopenclawai-npm-Package-Put-macOS-at-Risk-ehn.shtml
https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html
https://www.malwarebytes.com/blog/news/2026/03/beware-of-fake-openclaw-installers-even-if-bing-points-you-to-github
https://attack.mitre.org/groups/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Mon Mar 9 15:08:24 2026 by llama3.2 3B Q4_K_M
