A malicious npm package posing as an OpenClaw Installer has been caught deploying a remote access trojan (RAT) on victim machines, according to new JFrog research.
The package, published under the name “@openclaw-ai/openclawai”, pretends to be an installer for the legitimate CLI tool but instead launches a multi-stage infection chain that steals system credentials, browser data, cryptocurrency wallets, SSH Keys, and Apple Keychain databases before establishing persistence.
“The attack is notable for its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 infrastructure,” JFrog researchers said in a blog post.
Internally, the malware identified itself as “GhostLoader.”
Social engineering for harvesting credentials
Researchers explained that the published package includes a safe-looking JavaScript utility and typical project metadata, hiding the malicious logic in its “scripts” directory.
The trigger occurs during installation. A postinstall script installs the package globally, ensuring the attacker-controlled binary lands on the system PATH. This binary then launches an obfuscated setup script that acts as the first-stage dropper. On execution, the dropper displays what appears to be a legitimate command-line installer with animated progress bars and system messages.
However, behind the scenes, the malware simultaneously fetches a second-stage payload from a remote server.
As the fake installation sequence finishes, the user is prompted to provide administrator credentials which are validated against the operating system. Upto 5 attempts are allowed, and “Failed attempts show ‘Authentication failed. Please try again.’ – exactly mimicking real OS behavior,” researchers added.
While the user believes the installation has completed normally, the actual payload continues executing silently in the background.
From password theft to persistence
The second stage malware, internally referred to as “GhostLoader,” is a large JavaScript bundle implementing both an infostealer and a remote access framework. Once launched, GhostLoader installs itself into a hidden directory disguised as an npm telemetry service and sets up persistence mechanisms which include shell configuration hooks that automatically relaunch the malware if it stops running.
Parallelly, the malware begins harvesting sensitive data across the system. According to the researchers, the payload targets browser credentials, saved cookies, SSH keys, cryptocurrency wallets, Apple Keychain data, and personal application data such as iMessage history and email records.
The malware also has a RAT component that enables remote operators to route traffic through the infected machine using a SOCKS5 proxy and even clone active browser sessions, allowing attackers to impersonate users in real time.
The campaign includes several anti-forensics techniques designed to evade detection and analysis. The GhostClaw payload hides its behavior through heavy obfuscation and staged execution, decrypting key components only at runtime and removing temporary artifacts generated during the installation process.
JFrog researchers noted that the campaign marks another abuse of npm’s ability to execute installation scripts. They advised developers to treat npm packages that request system credentials, execute postinstall scripts, or download external payloads during installation as suspicious, and recommended installing developer tools only from verified or official sources.
