A malicious npm package disguised as an OpenClaw installer has been caught deploying a remote access trojan, stealing macOS credentials, and harvesting a wide range of sensitive developer data.

The package, published as @openclaw-ai/openclawai, looks harmless at first glance. In reality, it behaves like a full intrusion framework: it tricks users with a polished fake installer, prompts them for their system password, downloads an encrypted second-stage payload, and establishes long-term persistence on the victim's machine.

For developers, this is another reminder that the software supply chain remains one of the easiest paths to compromise.

Why this campaign matters

This is not just another typo-squatted package or low-effort credential stealer.

What makes this case especially dangerous is the combination of:

  • social engineering
  • post-install execution
  • credential theft
  • macOS-focused collection
  • persistence
  • remote access
  • browser session hijacking

In other words, the attacker is not merely trying to steal a password. They are trying to take over the device, maintain access, and extract everything of value from a developer workstation.

The package pretends to install OpenClaw

According to researchers, the malicious behavior begins during installation.

The npm package uses a postinstall hook, allowing code to run automatically as part of the install process. That alone is not always malicious, but it is frequently abused because many users install packages without inspecting their scripts.

From there, the package reportedly reinstalls itself globally and points execution to a setup script through the bin field in package.json. That makes the fake installer behave like a legitimate command-line utility, increasing the illusion that the user is simply setting up a developer tool.

The result is an attack chain that feels normal enough not to raise immediate suspicion.

A fake installer built to earn trust

One of the most effective parts of the campaign is presentation.

Instead of dropping malware in an obvious way, the package reportedly displays a convincing fake terminal interface, complete with progress bars and installation-like output. To the victim, it looks like OpenClaw is being set up correctly.

Then comes the real trap: a bogus iCloud Keychain authorization prompt asking for the user's macOS password.

That step matters because the attacker is not only relying on code execution. They are actively trying to convince the victim to hand over credentials that unlock access to protected data stores.

This is a strong example of how modern malware blends technical tradecraft with user-interface deception.

What happens after the password prompt

While the victim is focused on the fake installer flow, the malware reportedly retrieves an encrypted second-stage JavaScript payload from attacker-controlled infrastructure.

That payload is then decoded, written temporarily to disk, and launched as a detached process. A short time later, the temporary file is deleted, making the activity harder to trace during a quick review.

Researchers say the second stage is not a small script. It is a large, feature-rich framework designed for long-term access and broad data theft.

What the malware tries to steal

The data collection scope is especially alarming because it targets both general users and technical operators.

Reported targets include:

  • macOS Keychain data
  • iCloud Keychain databases
  • browser credentials, cookies, autofill, and saved payment data
  • crypto wallets and wallet extensions
  • seed phrases and private-key material
  • SSH keys
  • cloud and developer credentials
  • GitHub-related secrets
  • Kubernetes and Docker credentials
  • AI agent configuration data
  • Apple Notes, Mail, Safari history, and iMessage content where permissions allow

This means one compromised machine could expose personal accounts, corporate infrastructure, developer environments, cloud platforms, crypto assets, and AI tooling all at once.

For attackers, that is a high-value payoff from a single infection.

Full Disk Access becomes part of the attack path

Another notable detail is the malware's attempt to expand its reach on macOS through Full Disk Access.

If it cannot access certain protected directories, it reportedly displays instructions urging the victim to grant Terminal broader permissions. That request is framed as if it were necessary for the installation process to continue normally.

This is particularly dangerous because many users assume permission prompts are routine during setup. In reality, granting elevated access can open the door to sensitive sources such as Notes, Mail, Safari data, and message history.

The campaign shows how attackers increasingly weaponize native macOS trust prompts instead of relying only on exploits.

More than a stealer: this is a RAT

The malware does not stop at data theft.

Researchers say it also acts as a remote access trojan, giving attackers the ability to:

  • execute arbitrary shell commands
  • open URLs
  • download or upload files
  • start or stop a SOCKS5 proxy
  • inspect running processes
  • update itself
  • self-destruct
  • clone browser profiles and launch them in headless mode

That last capability is especially serious.

If an attacker can clone an existing browser profile, they may gain access to already authenticated sessions, including cookies and session state, without needing to crack passwords directly. In practice, that can mean bypassing normal login friction and stepping directly into a victim's active web accounts.

For defenders, this is a reminder that browser session theft can be just as damaging as credential theft.

Clipboard monitoring raises the stakes

The malware is also said to monitor clipboard content on a recurring basis and check it against patterns linked to sensitive material such as:

  • cryptocurrency keys and wallet data
  • blockchain addresses
  • RSA private keys
  • AWS-style credentials
  • API keys

That means even short-lived copy-paste activity can become an exposure event.

Developers and administrators often copy secrets during troubleshooting, deployments, cloud configuration, or wallet management. Clipboard surveillance turns those everyday actions into an attack surface.

Why developers are prime targets

This campaign is aimed at a very specific audience: people who install tools quickly, test emerging packages, and work across cloud, code, browser, and terminal environments.

That makes developers unusually valuable targets because their machines often contain:

  • source code
  • production access
  • SSH material
  • cloud tokens
  • package registry credentials
  • API keys
  • secrets for CI/CD pipelines
  • browser sessions tied to internal tools

A single infected endpoint can become the bridge to a much larger breach.

This is why supply-chain attacks on npm, PyPI, and other package ecosystems continue to grow. Developers sit at the center of modern infrastructure.

Key lessons for teams and individual developers

This incident reinforces a few hard truths.

First, package trust is fragile. A package name, a plausible publisher identity, and a professional-looking installation flow can be enough to fool people.

Second, postinstall scripts deserve far more scrutiny than they usually get. Any package that executes code during installation should be treated as high risk unless its behavior is well understood.

Third, macOS is not immune. Many users still assume malware is mostly a Windows problem, but campaigns like this show how mature and targeted macOS threats have become, especially when credential theft and user deception are involved.

Finally, developer endpoints are strategic assets. Protecting them should be treated as a security priority, not just an IT hygiene issue.

How to reduce the risk

For developers:

  • review package names carefully before installation
  • avoid blindly trusting newly published packages
  • inspect postinstall and other lifecycle scripts
  • prefer verified, well-maintained repositories
  • use least privilege on your workstation
  • be skeptical of password prompts that appear during CLI installs
  • do not grant Full Disk Access unless you fully understand why it is required

For organizations:

  • monitor package manager activity
  • restrict or alert on risky install behaviors
  • inspect developer endpoints for unusual persistence mechanisms
  • audit access to secrets, browsers, and local credential stores
  • treat npm package installs as a potential initial access vector
  • invest in supply-chain security controls for developer environments

Final takeaway

The fake OpenClaw npm package is a powerful example of how software supply-chain attacks are evolving.

This was not a noisy smash-and-grab campaign. It was carefully staged, visually convincing, and technically broad. By combining a fake installer, credential harvesting, an encrypted second stage, extensive data theft, and remote access features, the attackers turned one npm package into a full macOS compromise path.

For anyone building, testing, or installing software from fast-moving ecosystems, the message is simple: the biggest risk is no longer just malicious code hidden in plain sight. It is malicious code that looks polished, behaves persuasively, and asks for exactly the permissions needed to take everything.

Source: https://thehackernews.com/2026/03/malicious-npm-package-posing-as.html