A malicious npm package masquerading as the OpenClaw Installer was caught running a remote access trojan (RAT) on victim machines, according to new research by JFrog.
The package, published under the name “@openclaw-ai/openclawai”, pretends to be an official CLI tool installer but instead launches a multi-stage infection chain that steals system information, browser data, cryptocurrency wallets, SSH Keys, and the Apple Keychain database before establishing persistence.
“This attack is notable for its extensive data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence with C2 infrastructure,” JFrog researchers said in a blog post.
Inside, the malware identified itself as “GhostLoader.”
Social engineering to ensure harvest
The researchers explained that the published package includes a seemingly safe JavaScript utility and standard project metadata, hiding the malicious logic in its “script” directory.
The trigger occurs during installation. The post-installation script installs the package globally, ensuring that the binary controlled by the attacker resides in the PATH system. This binary then introduces a fuzzy setup script that acts as a first-stage drop-down. Upon installation, the dropper displays what appears to be a legitimate command-line installer with animated progress bars and system messages.
However, behind the scenes, the malware simultaneously downloads the payload of the second phase of the payment from a remote server.
Since the installation sequence is only fake, the user is prompted to provide administrator credentials that are verified against the operating system. Up to 5 attempts are allowed, and “Failed attempts show ‘Authentication failed. Please try again.’ – to exactly mimic the behavior of the real OS,” added the researchers.
Although the user believes that the installation has completed normally, the actual payment continues to work silently in the background.
From password theft to persistence
The second-stage malware, internally called “GhostLoader,” is a large JavaScript bundle that uses both an infostealer and a remote access framework. Once launched, GhostLoader installs itself in a hidden directory disguised as an npm telemetry service and sets persistence methods including shell stop hooks that automatically restart the malware when it stops running.
Similarly, the malware starts harvesting sensitive data from the entire system. According to the researchers, the payload targeted browser authentication, saved cookies, SSH keys, cryptocurrency wallets, Apple Keychain data, and personal application data such as iMessage history and email records.
The malware also contains a RAT component that enables remote operators to route traffic through an infected machine using a SOCKS5 proxy and include active browser sessions, allowing attackers to impersonate users in real time.
This campaign includes several anti-forensics techniques designed to avoid detection and analysis. The GhostClaw payload hides its behavior by using heavy obfuscation and programmed execution, decrypting only key components at runtime and removing temporary artifacts generated during the installation process.
JFrog researchers noted that the campaign marks another abuse of npm’s ability to use install scripts. They advise developers to treat npm packages that request system information, use background installation scripts, or download external downloads during installation as suspicious, and recommend installing developer tools only from verified or official sources.
