A sophisticated malware campaign, known as GhostClaw, is actively targeting software developers by masquerading as a legitimate command-line installer for a tool called “OpenClaw Installer.” This malicious package, published on the npm registry as @openclaw-ai/openclawai, stealthily infiltrates developer systems to exfiltrate sensitive credentials, cryptocurrency wallet details, SSH keys, active browser sessions, and even iMessage data. Researchers from JFrog Security identified the threat on March 8, 2026, highlighting its advanced evasion and persistence techniques.
The GhostClaw campaign focuses on exploiting the trust developers place in the npm ecosystem for their daily workflows. Once a developer installs the rogue package, a hidden postinstall hook silently re-installs the malicious binary globally, ensuring it resides within the system’s PATH without raising immediate suspicion. This sets the stage for the main payload, which is initiated by an obfuscated script named setup.js, orchestrating a multi-stage infection chain.
GhostClaw Employs Advanced Social Engineering to Harvest Developer Secrets
The engineering behind GhostClaw is designed for maximum deception, aiming to blend seamlessly with typical development tooling. The malware’s internal designation is GhostLoader, but the broader operation is tracked as GhostClaw. The core of its social engineering tactics involves tricking developers into voluntarily revealing their system passwords.
Upon execution of the install command, the setup.js dropper presents a convincing fake command-line interface. This includes animated progress bars and simulated system log outputs, creating an illusion of a normal installation process. As the fake progress display concludes, the script generates a dialog box that closely mimics a native macOS Keychain authorization prompt. This unauthorized prompt requests the user’s administrator password, framing it as a necessary step for a “secure vault initialization.”
This deceptive prompt allows attackers up to five password attempts. Critically, the malware validates each entry against the actual operating system’s authentication mechanism. This means an incorrect password will generate an authentic-looking failure message, further reinforcing the legitimacy of the prompt for the unsuspecting developer.
While the victim is engaged with the fake password prompt, the threat actor’s system, located at trackpipe[.]dev, is actively serving the next stage of the payload. This secondary payload is delivered encrypted using AES-256-GCM, with the decryption key embedded within the same server response. The fully decrypted JavaScript payload, approximately 11,700 lines long, constitutes the complete GhostLoader framework.
The GhostLoader framework then proceeds to install itself deeply within a hidden directory. It disguises its presence as a routine npm telemetry service, allowing it to operate undetected while commencing the systematic harvesting of data from the compromised machine. This includes a wide array of sensitive information that could compromise individual developers and their organizations.
The Extensive Data Exfiltration Capabilities of GhostClaw
The scope of data collection by GhostClaw is particularly alarming. JFrog Security researchers have documented its ability to extract system passwords and sensitive data from macOS Keychain databases. It also targets cloud credentials, specifically those stored within configuration files for major cloud providers like AWS, GCP, and Azure.
Furthermore, the malware actively scans desktop directories for BIP-39 cryptocurrency seed phrases, which are vital for accessing and recovering digital assets. It also captures all saved passwords and credit card information from multiple Chromium-based browsers, demonstrating a broad reach across common developer tools and platforms.
On macOS systems, GhostClaw can access and steal iMessage history if it obtains Full Disk Access permissions. This broad data exfiltration capability underscores the significant risk posed to developer accounts and the sensitive projects they manage.
A key aspect of GhostClaw’s effectiveness is its cross-platform compatibility. The malware is engineered to target developers on macOS, Linux, and Windows operating systems. It dynamically adapts its credential validation methods to align with the specific operating system it infects, ensuring its malicious functions operate seamlessly across diverse development environments. This adaptability, coupled with its sophisticated evasion and persistence techniques, positions GhostClaw as a highly significant threat within the npm ecosystem.
Developers who suspect they may have installed the GhostClaw package are urged to take immediate action. This includes removing the hidden .npm_telemetry directory, meticulously checking shell configuration files such as ~/.zshrc, ~/.bashrc, and ~/.bash_profile for any injected malicious lines, and terminating any active monitor.js processes. A complete uninstallation of the rogue npm package is also critical. All credentials, including system passwords, SSH keys, API tokens for services like AWS, GCP, Azure, OpenAI, Stripe, and GitHub, as well as any exposed cryptocurrency wallet seed phrases, must be rotated immediately. Additionally, active browser sessions on all platforms should be revoked. Given the depth of infiltration, JFrog Security researchers strongly recommend a complete system re-image as the most secure remediation step.