TechFlow News reports that on March 23, a malware named GhostClaw recently targeted cryptocurrency wallets on macOS systems, primarily aiming at developer communities.
This malware was uploaded to the npm registry disguised as a fake OpenClaw CLI installer package under the account name openclaw-ai. It went live on March 3 and was removed on March 10, infecting a total of 178 developers during this period. Upon installation, the malicious program tricks users into entering their macOS password to gain system privileges, then downloads a second-stage payload—GhostLoader—from a remote command-and-control (C2) server to carry out data theft and remote access.
GhostLoader scans Chromium-based browsers, the macOS Keychain, and local storage to extract private keys, mnemonic phrases, SSH keys, cloud credentials, and API tokens from AI platforms. It also monitors the clipboard every three seconds to capture sensitive crypto-related data. Stolen data is exfiltrated to attackers via Telegram, GoFile, and the command server.
