CYBERSECURITY researchers have uncovered a malicious npm package that masquerades as an OpenClaw installer to deploy a remote access Trojan and harvest data from infected macOS hosts. The package, named "@openclaw-ai/openclawai" and uploaded to the registry by a user named "openclaw-ai" on 3 March 2026, has been downloaded 178 times to date.
It is designed to steal system credentials, browser data, crypto wallets, SSH keys, and Apple Keychain databases, as well as iMessage history, while installing a persistent RAT with a SOCKS5 proxy and live browser session cloning capability. The attack uses a postinstall hook to re-install the package globally, with the installer presenting a convincing fake CLI and a Keychain prompt to elicit the user’s password, after which a second-stage payload is retrieved from the C2 server and executed in the background.
JFrog described the malware as a broad information stealer and RAT framework, internally identifying itself as GhostLoader, and noted its persistence and C2 infrastructure as noteworthy. According to JFrog, the OpenClaw installer uses a polished fake interface to extract macOS passwords, which can unlock Keychain decryption and browser credential extraction.