Skip to content
View in the app

A better way to browse. Learn more.

hosang I.T.

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Devs looking for OpenClaw get served a GhostClaw RAT

A malicious npm package posing as an OpenClaw Installer has been caught deploying a remote access trojan (RAT) on victim machines, according to new JFrog research.

The package, published under the name “@openclaw-ai/openclawai”, pretends to be an installer for the legitimate CLI tool but instead launches a multi-stage infection chain that steals system credentials, browser data, cryptocurrency wallets, SSH Keys, and Apple Keychain databases before establishing persistence.

“The attack is notable for its broad data collection, its use of social engineering to harvest the victim’s system password, and the sophistication of its persistence and C2 infrastructure,” JFrog researchers said in a blog post.

Internally, the malware identified itself as “GhostLoader.”

Social engineering for harvesting credentials

Researchers explained that the published package includes a safe-looking JavaScript utility and typical project metadata, hiding the malicious logic in its “scripts” directory.

The trigger occurs during installation. A postinstall script installs the package globally, ensuring the attacker-controlled binary lands on the system PATH. This binary then launches an obfuscated setup script that acts as the first-stage dropper. On execution, the dropper displays what appears to be a legitimate command-line installer with animated progress bars and system messages.

However, behind the scenes, the malware simultaneously fetches a second-stage payload from a remote server.

As the fake installation sequence finishes, the user is prompted to provide administrator credentials which are validated against the operating system. Upto 5 attempts are allowed, and “Failed attempts show ‘Authentication failed. Please try again.’ – exactly mimicking real OS behavior,” researchers added.

While the user believes the installation has completed normally, the actual payload continues executing silently in the background.

From password theft to persistence

The second stage malware, internally referred to as “GhostLoader,” is a large JavaScript bundle implementing both an infostealer and a remote access framework. Once launched, GhostLoader installs itself into a hidden directory disguised as an npm telemetry service and sets up persistence mechanisms which include shell configuration hooks that automatically relaunch the malware if it stops running.

Parallelly, the malware begins harvesting sensitive data across the system. According to the researchers, the payload targets browser credentials, saved cookies, SSH keys, cryptocurrency wallets, Apple Keychain data, and personal application data such as iMessage history and email records.

The malware also has a RAT component that enables remote operators to route traffic through the infected machine using a SOCKS5 proxy and even clone active browser sessions, allowing attackers to impersonate users in real time.

The campaign includes several anti-forensics techniques designed to evade detection and analysis. The GhostClaw payload hides its behavior through heavy obfuscation and staged execution, decrypting key components only at runtime and removing temporary artifacts generated during the installation process.

JFrog researchers noted that the campaign marks another abuse of npm’s ability to execute installation scripts. They advised developers to treat npm packages that request system credentials, execute postinstall scripts, or download external payloads during installation as suspicious, and recommended installing developer tools only from verified or official sources.

View the full article

User Feedback

Recommended Comments

There are no comments to display.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Add a comment...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.