A malicious npm package called @openclaw-ai/openclawai sat on the npm registry for seven days, from March 3 to March 10, and infected 178 machines before npm pulled it. JFrog security researchers discovered the package and named this OpenClaw npm malware campaign "GhostClaw." The malware calls itself GhostLoader.
What the Package Did
After running npm install -g @openclaw-ai/openclawai, victims saw a convincing fake CLI with animated progress bars and service startup messages. It looked like a real OpenClaw installation.
Then a fake macOS Keychain prompt appeared, identical to the real thing. It even validated against the actual OS authentication API, showing "Authentication failed" on wrong attempts. Up to five tries.
Once GhostLoader had the system password, it went to work. The malware steals macOS Keychain credentials, Chromium browser data (passwords, cookies, saved cards), crypto wallets like Exodus and MetaMask, SSH keys, AWS/Azure/GCP credentials, iMessage history, and Apple Notes.
GhostLoader also installs a persistent RAT with remote shell access, a SOCKS5 proxy, and live browser session cloning via Chrome DevTools Protocol. That last one is the scary part. It gives the attacker authenticated access to every service you are logged into, bypassing MFA entirely.
The Name Trick
The official OpenClaw npm package is openclaw, installed via npm install -g openclaw@latest. The fake package used @openclaw-ai/openclawai. Two differences: the scoped organization prefix @openclaw-ai/ and the -ai suffix on the package name.
npm Uninstall Does Not Remove It
Running npm uninstall will not clean up the infection. GhostLoader copies itself to ~/.cache/.npm_telemetry/monitor.js and adds shell hooks to .zshrc, .bashrc, and .bash_profile disguised as # NPM Telemetry Integration Service. If you installed this package, you need manual cleanup and full credential rotation.
How to Stay Safe
Managed hosting customers (like those on ClawHosters) run via Docker on managed infrastructure, not via local npm install. This attack vector does not apply.
If you run OpenClaw locally, check whether you ever installed anything from the @openclaw-ai scope. Always verify package names against the official docs before installing.
Originally published on ClawHosters Blog
Top comments (0)