Cybersecurity researchers have uncovered a sophisticated malicious package in the npm registry that impersonates a legitimate OpenClaw installer to deploy a powerful remote access trojan (RAT) on macOS systems. The discovery, announced by security firm JFrog, highlights a growing trend of supply chain attacks targeting developers through trusted software distribution channels.
The malicious package, named "@openclaw-ai/openclawai", was first published to the npm registry on March 3, 2026, by an account calling itself "openclaw-ai". Despite being identified as malware, the package remains downloadable and has already been installed 178 times, potentially compromising numerous systems. JFrog's threat intelligence team has designated this campaign as GhostClaw, while the malware's internal code reveals its loader component identifies itself as GhostLoader.
The attack methodology demonstrates sophisticated understanding of both npm's architecture and macOS user behavior. The package exploits the postinstall hook mechanism to execute malicious code immediately after installation. It automatically triggers a global reinstallation using the command npm i -g @openclaw-ai/openclawai, ensuring the malware gains system-wide accessibility. Through the "bin" property in package.json, the malware registers "scripts/setup.js" as a global command-line tool, adding itself to the user's PATH environment variable.
When executed, setup.js serves as a first-stage dropper that presents a remarkably convincing fake installation interface. The script displays animated progress bars and status messages that mimic a genuine OpenClaw setup process, creating a false sense of legitimacy while malicious activities commence in the background. This visual deception represents a calculated effort to reduce user suspicion during the critical initial infection phase.
The social engineering tactics escalate dramatically after the fake installation completes. The script generates a fraudulent iCloud Keychain authorization dialog that requests the user's system password. This credential harvesting technique is particularly insidious because it replicates Apple's native authentication prompts, exploiting the trust users place in official system dialogs. Concurrently, the malware initiates communication with its command-and-control server at trackpipe[.]dev to retrieve the encrypted second-stage payload.
This secondary payload, a JavaScript file spanning approximately 11,700 lines, constitutes the core of the GhostClaw malware framework. The first-stage script decrypts this payload, writes it to a temporary file, and launches it as a detached background process. To maintain operational security and hinder forensic analysis, the malware automatically removes this temporary file after 60 seconds, effectively destroying evidence of the second-stage code.
GhostClaw demonstrates particular sophistication in circumventing macOS security controls. When the malware encounters restricted access to the Safari directory, it doesn't terminate operation. Instead, it presents an authentic-looking AppleScript dialog that instructs users to grant Full Disk Access permissions to the Terminal application. This dialog includes detailed step-by-step guidance and a convenient button that opens System Preferences directly to the security settings. Once users comply, the elevated permissions enable the second-stage payload to access highly sensitive data including Apple Notes, iMessage conversations, Safari browsing history, and Mail.app contents.
The malware's capabilities are extensive and alarming. GhostClaw functions as both a comprehensive information stealer and a fully-featured remote access trojan. Its data collection modules systematically target system credentials, browser-stored passwords and cookies, cryptocurrency wallet files, SSH keys, complete Apple Keychain databases, and iMessage conversation archives. This breadth of theft makes it exceptionally valuable for threat actors seeking to compromise both personal privacy and corporate security.
Beyond data exfiltration, GhostClaw establishes robust persistence mechanisms that ensure survival across system reboots. The malware maintains continuous encrypted communication with its command-and-control infrastructure, enabling attackers to issue remote commands, extract additional data, or deploy supplementary payloads. Advanced features include an integrated SOCKS5 proxy for traffic routing through compromised systems and a live browser session cloning capability that allows real-time monitoring and hijacking of web activities.
The npm registry attack vector represents a critical vulnerability in modern software development practices. Developers routinely install packages from registries with minimal scrutiny, creating opportunities for threat actors to distribute malware through trusted channels. The GhostClaw campaign employs techniques reminiscent of typosquatting, using a package name that appears legitimate while incorporating sophisticated social engineering specifically designed to exploit developer trust and workflow patterns.
The potential impact extends far beyond individual compromised machines. Infected developer workstations could serve as launchpads for supply chain attacks, where malicious code is injected into legitimate software projects, potentially affecting thousands of downstream users. The theft of SSH keys and credentials could grant attackers access to corporate networks, private code repositories, and cloud infrastructure, creating cascading security failures.
Defending against such threats requires comprehensive security measures. Users must exercise extreme caution when installing npm packages, especially those requesting global installation privileges. Verifying publisher reputation, examining download statistics, and checking package creation dates can help identify suspicious offerings. Implementing the principle of least privilege by preferring local installations over global ones can limit malware impact. Security teams should monitor network traffic for connections to known malicious domains like trackpipe[.]dev and deploy endpoint detection solutions capable of identifying suspicious postinstall script behavior.
The GhostClaw discovery underscores the evolving threat landscape facing software developers and organizations. As attackers increasingly target development tools and trusted platforms, maintaining vigilance and implementing robust security controls becomes essential. The combination of social engineering, advanced malware design, and supply chain targeting represents a sophisticated threat model that demands proactive defense strategies from the entire technology community.