Cybersecurity experts have raised alarms over a deceptive npm package pretending to be an OpenClaw installer. This package, identified as “@openclaw-ai/openclawai,” is designed to deploy a remote access trojan (RAT) and extract sensitive data from infected systems. Cybersecurity firm JFrog discovered this package, which was uploaded by a user named “openclaw-ai” on March 3, 2026, and has since been downloaded 178 times.
Detailed Analysis of the Threat
The malicious package primarily targets macOS users, aiming to collect a wide range of data. According to JFrog, it captures system credentials, browser information, cryptocurrency wallets, SSH keys, and iMessage history. It also installs a persistent RAT with capabilities for remote access, a SOCKS5 proxy, and live browser session duplication. Security researcher Meitar Palas noted the attack’s extensive data collection and sophisticated infrastructure.
The package activates its malicious functions through a postinstall hook, which reinstalls it globally with the command “npm i -g @openclaw-ai/openclawai.” This command turns the package into a globally accessible command-line tool by utilizing the “bin” property in the “package.json” file, pointing to “scripts/setup.js.”
How the Malware Operates
The “setup.js” file serves as the initial dropper, creating a fake command-line interface that simulates the OpenClaw installation process. This deception includes animated progress bars and a false iCloud Keychain prompt requesting the user’s system password. Concurrently, it downloads an encrypted second-stage payload from a command-and-control (C2) server, which is then decrypted and executed in the background.
This second-stage payload, a comprehensive information stealer, encompasses 11,700 lines of JavaScript. It can persistently collect data, decrypt browser information, and communicate with C2 servers. The malware gathers data from macOS Keychain, browser credentials, cryptocurrency wallets, and developer cloud credentials. It also targets AI agent configurations and data protected by Full Disk Access (FDA), such as Apple Notes and Safari history.
Implications and Future Outlook
The stolen data is archived into a tar.gz file and exfiltrated through several channels, including the C2 server and Telegram Bot API. The malware can operate in a daemon mode, monitoring clipboard content for specific patterns and executing commands from the C2 server. This includes actions like running arbitrary shell commands, opening URLs, and cloning browser profiles.
Security experts emphasize the sophisticated social engineering tactics used by this package, which makes it a significant threat to developers and organizations. The deceptive CLI installer and Keychain prompt effectively extract system passwords, enabling macOS Keychain decryption and browser credential extraction.
The discovery of this malicious npm package highlights the importance of vigilance in software installations and the need for robust cybersecurity measures. Users are advised to review npm packages carefully and ensure their systems are protected against such advanced threats.
