CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious npm Package Targets macOS Users with RAT and Credential Theft

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Timeline

  1. 09.03.2026 20:31 1 articles · 4h ago

    Malicious npm Package Discovered Deploying RAT and Stealing macOS Credentials

    A malicious npm package named "@openclaw-ai/openclawai" was discovered on March 3, 2026, masquerading as an OpenClaw installer. The package deploys a RAT and steals sensitive data from macOS systems, including system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history. The malware uses a postinstall hook to re-install itself globally and display a fake command-line interface. It retrieves an encrypted second-stage payload from a C2 server, which is capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. The malware prompts users to grant Full Disk Access (FDA) to Terminal to access protected data and exfiltrates collected data through multiple channels. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems.

    Show sources
    Open in new tab

Information Snippets