GhostClaw: Malicious npm Package Impersonates OpenClaw to Deploy Full-Featured RAT

If you run npm install without checking what you're actually pulling down, this story is for you. Researchers at JFrog have uncovered a malicious npm package called @openclaw-ai/openclawai that does a masterful job of impersonating the legitimate OpenClaw AI agent installer while deploying a sophisticated remote access trojan and credential stealer onto macOS systems.

The package was uploaded on March 3, 2026 by a user creatively calling themselves "openclaw-ai," and has racked up 178 downloads as of publication. That might not sound like a lot until you realize that each of those downloads represents a developer who probably handed over the keys to their entire digital kingdom. The package was still live on npm at the time of JFrog's report, which says something about how quickly supply chain attacks can spread before anyone notices.

JFrog's team found the malware calling itself "GhostLoader" internally, which is fitting given how quietly it goes about its business. The attack starts the moment you install the package, triggering a postinstall hook that silently reinstalls itself globally. This ensures the malicious code persists and becomes a command-line tool available from anywhere on the system. What happens next is where things get genuinely impressive from a technical standpoint and deeply concerning from a "my data is gone" standpoint.

The installer presents victims with an extremely polished fake command-line interface complete with animated progress bars, giving every appearance that OpenClaw is being legitimately set up on their machine. After the fake installation completes, users are greeted with a bogus iCloud Keychain authorization prompt asking them to enter their system password. This is social engineering at its finest, leveraging the trust users place in official-looking installation processes to harvest the one credential that unlocks everything else on a Mac.

While the victim watches progress bars, the script reaches out to a command-and-control server at trackpipe.dev to pull down an encrypted second-stage payload. This JavaScript payload spawns as a detached background process and deletes the temporary file after 60 seconds to cover its tracks. If the Safari directory proves inaccessible due to macOS security restrictions, the malware gets creative by displaying an AppleScript dialog that walks users step-by-step through granting Full Disk Access to Terminal, even helpfully opening System Preferences directly. People actually follow these instructions because they look legitimate.

The second-stage payload comprises roughly 11,700 lines of JavaScript implementing a full-featured information stealer and RAT framework. The data collection scope is staggering. The malware targets macOS Keychain entries including both local and iCloud databases, browser credentials from every major Chromium-based browser you can name, desktop cryptocurrency wallets and their browser extensions, SSH keys, cloud credentials for AWS and Azure and Google Cloud and Kubernetes and Docker and GitHub, and for good measure, your AI agent configurations. If Full Disk Access was granted, it also scoops up Apple Notes, iMessage history, Safari browsing data, Mail accounts, and Apple account information.

Everything collected gets compressed into a tar.gz archive and exfiltrated through multiple channels simultaneously. The data goes directly to the C2 server, through the Telegram Bot API, and to GoFile.io. Redundancy is key when you're stealing someone's digital life, apparently.

The malware then settles into persistent daemon mode, monitoring clipboard content every three seconds for anything matching patterns that look like private keys, cryptocurrency addresses, AWS credentials, OpenAI API keys, or Strike payment keys. It watches for specific processes, scans incoming iMessage chats in real-time, and awaits commands from its operators. Those commands can do just about anything you'd expect from a serious RAT, from running arbitrary shell commands to downloading additional payloads to starting a SOCKS5 proxy.

Perhaps the most alarming capability is browser cloning. The malware can launch a headless Chromium instance using the victim's existing browser profile, complete with all cookies, saved logins, and session data intact. This gives attackers a fully authenticated browser session without ever needing to crack a single password. They essentially become you, with access to every service you were logged into.

The broader lesson here is one the security community keeps learning the hard way. Supply chain attacks targeting package registries continue to be devastatingly effective because developers implicitly trust what npm or PyPI or any other registry serves them. A convincing package name, a legitimate-looking README, and a few stars or downloads are often enough to bypass whatever due diligence happens before someone adds a new dependency. The OpenClaw impersonation is particularly clever because the tool is genuinely useful and gaining popularity, making developers more likely to seek it out and less likely to question whether they found the right package.

If you're a macOS user who happened to install this package, the recommended remediation is essentially burning it all down. Rotate every credential the malware might have touched, revoke OAuth tokens, generate new SSH keys, assume your cryptocurrency wallets are compromised, and consider your browser sessions hijacked. The malware's broad collection capability means there's no shortcut to recovery.

For everyone else, this is a good reminder to verify package names obsessively before installing anything, use lockfiles and checksums where possible, and think twice before granting Full Disk Access to any process that asks for it. Trust in the developer ecosystem is valuable precisely because it's fragile. GhostClaw is a case study in how easily that trust can be exploited.