Full Report
Cybersecurity researchers have discovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from compromised hosts. The package, named "@openclaw-ai/openclawai," was uploaded to the registry by a user named "openclaw-ai" on March 3, 2026. It has been downloaded 178 times to date. The library is still available for
Analysis Summary
# Tool/Technique: GhostLoader (via @openclaw-ai/openclawai)
## Overview
GhostLoader is a highly sophisticated Remote Access Trojan (RAT) and information stealer distributed via a malicious npm package. It masquerades as an installer for "OpenClaw" to target developers and macOS users. The attack utilizes a combination of social engineering, fake command-line interfaces, and persistent background processes to exfiltrate a vast array of sensitive data including credentials, cryptocurrency wallets, and private communications.
## Technical Details
- **Type:** Malware (RAT / InfoStealer / Dropper)
- **Platform:** macOS (primarily targeted), Cross-platform (Node.js/JavaScript)
- **Capabilities:** Data exfiltration, Remote Access, Persistence, SOCKS5 Proxy, Session Cloning, Clipboard Monitoring.
- **First Seen:** March 3, 2026
## MITRE ATT&CK Mapping
- **[TA0001 - Initial Access]**
- [T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools]
- **[TA0002 - Execution]**
- [T1059.003 - Command and Scripting Interpreter: Windows Command Shell]
- [T1059.007 - Command and Scripting Interpreter: JavaScript]
- **[TA0003 - Persistence]**
- [T1136.001 - Create Account: Local Account]
- [T1037 - Boot or Logon Initialization Scripts]
- **[TA0005 - Defense Evasion]**
- [T1070.004 - Indicator Removal: File Deletion]
- [T1204.002 - User Execution: Malicious File]
- **[TA0006 - Credential Access]**
- [T1555.001 - Credentials from Password Stores: Keychain]
- [T1539 - Steal Web Session Cookie]
- **[TA0009 - Collection]**
- [T1115 - Clipboard Data]
- [T1119 - Automated Collection]
- **[TA0011 - Command and Control]**
- [T1071.001 - Application Layer Protocol: Web Protocols]
- [T1105 - Ingress Tool Transfer]
## Functionality
### Core Capabilities
- **Information Stealing:** Targets macOS Keychain (local and iCloud), Chromium-based browser data (cookies, cards, passwords), SSH keys, and cloud/dev credentials (AWS, Azure, GCP, Docker, GitHub, Kubernetes).
- **RAT Functionality:** Provides remote access capabilities to the compromised host.
- **Data Exfiltration:** Compresses stolen data into `tar.gz` archives and uploads them via Webhooks (Telegram), GoFile.io, or direct C2 communication.
- **Crypto-Theft:** Scans for desktop wallet applications, browser extensions, and seed phrases.
### Advanced Features
- **Social Engineering:** Displays fake animated progress bars and bogus iCloud Keychain authorization prompts to harvest system passwords.
- **Permission Escalation:** Instructions provided via AppleScript to trick users into granting "Full Disk Access" (FDA) to the Terminal.
- **Persistence & Monitoring:** Enters a daemon mode that monitors the clipboard every three seconds for private keys (WIF keys).
- **Network Proxying:** Includes a SOCKS5 proxy and live browser session cloning capabilities.
## Indicators of Compromise
- **File Names:**
- `scripts/setup.js`
- `@openclaw-ai/openclawai` (npm package)
- **Network Indicators:**
- `trackpipe[.]dev` (C2 Server/Payload host)
- `gofile[.]io` (Exfiltration)
- Telegram Bot API (Exfiltration)
- **Behavioral Indicators:**
- Automated global re-installation using `npm i -g`.
- Temporary file creation followed by deletion within 60 seconds.
- AppleScript dialogs requesting Full Disk Access.
## Associated Threat Actors
- **openclaw-ai** (npm registry persona)
- **GhostLoader** (Internal malware identifier)
## Detection Methods
- **Behavioral Detection:**
- Monitor for `postinstall` hooks in npm packages that execute shell scripts or re-install the package globally.
- Detect unauthorized AppleScript prompts requesting System Preference changes or Full Disk Access.
- **Signature-based:**
- Scan for the specific 11,700-line JavaScript second-stage payload.
- Monitor for the string "GhostLoader" within obfuscated or large JS files.
## Mitigation Strategies
- **Dependency Pinning:** Use `npm shrinkwrap` or `package-lock.json` and audit new dependencies before installation.
- **Least Privilege:** Avoid running `npm install` with `sudo` or administrative privileges.
- **Vigilance:** Be wary of CLI tools that request system passwords via non-standard or unexpected pop-ups.
- **Endpoint Protection:** Use EDR solutions that monitor for suspicious child-process spawning from Node.js environments.
## Related Tools/Techniques
- **ClawJacked:** A previously identified flaw related to the OpenClaw ecosystem.
- **Typosquatting/Masquerading:** Common technique for distributing malicious packages in public registries (npm, PyPI).