GhostClaw: Rogue npm Package Masquerades as OpenClaw to Drain Developer Secrets

Security researchers have uncovered a malware campaign targeting developers through a rogue npm package disguised as a trusted installer. The package, published under @openclaw-ai/openclawai, pretends to be the OpenClaw Installer but secretly deploys a multi‑stage infection chain known as GhostClaw, with its core loader identified as GhostLoader.

How GhostClaw Works

• Persistence via npm hooks:
  • Once installed, the package re‑installs itself globally using a postinstall hook.
  • This ensures the malicious binary lands on the system PATH undetected.
• First‑stage dropper:
  • The binary points to setup.js, an obfuscated script that launches the infection chain.
  • It presents a fake CLI installer with progress bars and log output to appear legitimate.
• Social engineering trick:
  • Displays a convincing macOS Keychain prompt, asking for the administrator password.
  • Validates entries against the OS authentication mechanism, making failures look authentic.
• Second‑stage payload:
  • Fetched from attacker C2 (trackpipe[.]dev) and decrypted with AES‑256‑GCM.
  • Roughly 11,700 lines of JavaScript form the GhostLoader framework, which embeds itself as a fake npm telemetry service.

What GhostClaw Steals

GhostClaw is designed to harvest virtually everything developers rely on:

• System credentials: macOS Keychain, Windows/Linux passwords.
• Cloud secrets: AWS, GCP, Azure configuration files.
• Crypto assets: BIP‑39 seed phrases, wallet data.
• Browser data: Saved passwords, cookies, credit cards across Chromium browsers.
• Messaging history: iMessage conversations (if Full Disk Access is granted).
• Developer assets: SSH keys, API tokens (GitHub, OpenAI, Stripe, etc.).

Its cross‑platform reach (macOS, Linux, Windows) and stealthy persistence make it one of the most dangerous developer‑targeting threats seen in the npm registry.

Mitigation Steps for Developers

• Remove infection traces: Delete the .npm_telemetry directory, terminate monitor.js processes, and uninstall the package.
• Check shell configs: Inspect ~/.zshrc, ~/.bashrc, and ~/.bash_profile for injected hooks.
• Rotate credentials immediately: System passwords, SSH keys, API tokens, and crypto seed phrases must be reset.
• Revoke sessions: End active browser sessions on Google, GitHub, and other platforms.
• System re‑image: Given GhostClaw’s depth, a full OS reinstall is strongly recommended.

Final Thought

GhostClaw demonstrates how attackers exploit developer trust in open‑source ecosystems. By mimicking legitimate tooling, they gain deep access to sensitive credentials and cloud assets. For defenders, the lesson is clear: developer environments are prime targets, and supply chain vigilance is now a frontline security priority.