A fake npm package called @openclaw-ai/openclawai infected 178 machines in 7 days before npm pulled it. JFrog researchers named the campaign "GhostClaw."
The attack was clever. After install, victims saw a convincing fake CLI with animated progress bars. Then a fake macOS Keychain prompt appeared, identical to the real thing, with up to 5 retry attempts.
Once it had the system password, GhostLoader grabbed:
- macOS Keychain credentials
- Chromium browser data (passwords, cookies, saved cards)
- Crypto wallets (Exodus, MetaMask)
- SSH keys and cloud credentials (AWS/Azure/GCP)
- iMessage history and Apple Notes
The scary part? It also installs a persistent RAT with live browser session cloning via Chrome DevTools Protocol. That bypasses MFA entirely.
The real OpenClaw package is just openclaw. The fake used @openclaw-ai/openclawai. Close enough to fool someone who didnt double check.
And npm uninstall wont clean it up. GhostLoader copies itself to ~/.cache/.npm_telemetry/monitor.js and hooks into your shell rc files.
Full breakdown with detection and cleanup steps:
https://clawhosters.com/blog/posts/openclaw-npm-malware-ghostloader
Top comments (0)