OpenClaw: the npm package that installs a persistent RAT in macOS and steals data

A malicious package published in the npm record is passed through a legitimate installer called OpenClaw and has been used to deploy a remote access Trojan (RAT) that steals sensitive data and maintains persistent presence in macOS. The JFrog security firm was the one that pointed to the piece in question, available under the identifier. @ openclaw-ai / openclawai, uploaded by user "openclaw-ai" on March 3, 2026 and with downloads recorded by hundreds of users.

The deception begins in the npm installation flow itself: the package abuses the post-installation hooks to reinstall in a global way, becoming a command accessible from the terminal thanks to the field configuration "bin" in its package.json, which is precisely what allows an executable to be added to the PATH system. For anyone who wants to review how this npm configuration works, the official documentation explains it in detail: package.json - bin, and npm scripts are documented here: npm scripts.

In its first phase malware shows a false command line interface, with progress bars and messages that simulate a legitimate installation. After this visual representation, a box that requests the system password appears under the excuse of allowing access to the iCloud key. That is a social engineering maneuver designed for the user to deliver credentials that malware needs to decipher and access data that macOS protects by default.

Simultaneously with that "installation" ritual, the malicious installer downloads from a command and control server a second encrypted payload, decodes it and runs it as an independent process that remains in the background; the temporary file containing it is deleted shortly after to try to delete prints. JFrog documents that, if you do not have access to certain browser directories (for example, if you have not been granted Full Disk Access), the installer shows an AppleScript dialog that guides the user step by step to enable permissions in System Settings, thereby facilitating the subsequent collection of data protected by these barriers: how to manage permissions in macOS.

The second stage is, according to JFrog's analysis, a huge JavaScript script of thousands of lines that acts as an information theft and RAT framework. Its capabilities include persistence such as demon, chromium passwords and browser cookies, deciphering of the macOS key (including iCloud Keychain bases), access to cryptomoneda portfolios and extensions, SSH key capture, public cloud credentials collection and development services, and real-time reading of iMessage messages, protected notes and mail if you get the necessary permissions. In addition, it monitors the clipboard every few seconds in search of patterns corresponding to private keys or tokens - for example, WIF-format keys or cryptomoneda seeds - a type of data whose technical nature can be consulted in more detail here: WIF key - learning.

The final route of the attack is to pack the collected and filter it out through several channels: direct uploads to the command and control server, use of Telegram's Bot API to send stolen files and temporary accommodation in services such as GoFile.i. The malware also incorporates features to enable a SOCKS5 proxy that allows the attacker to route traffic through the compromised machine, and a particularly disturbing ability to "clone" browser: it launches a Chromium instance in headless mode with the user profile, which provides authenticated sessions without the need to steal passwords because cookies and session status already exist in that profile. To understand what a SOCKS5 proxy means, please see this general explanation: What a proxy SOCKS is.

That a single package brings together social engineering techniques, encrypted downloads from a C2, an information thief and a functional RAT makes the difference: it is not only a script that copies files, but a complete platform for espionage and exfiltration. JFrog has summarized how the combination of a polished interface and a system password request makes even prudent developers can be misled; that password allows you to remove system protections and access secrets that would otherwise remain encrypted.

If you think you may be affected, immediate measures stop trusting unknown packages installed globally and review the list of global npm packages in your system. A basic uninstallation action for this case would be to execute the overall uninstallation order of the package: "npm uninstall -g @ openclaw-ai / openclawai," and to check active processes, start agents and suspicious time files. It is also prudent to revoke tokens, rotate SSH keys and cloud credentials, change passwords and activate two factors authentication in the services that allow it. To reduce future risks, avoid running global facilities from unverified authors, inspect the contents of the package before running it and limit the practice of entering the system password when it is not clear why it is necessary.

For those who manage projects or infrastructure, it is essential to treat the software supply chain as a critical attack area: using integrity checks, signing artifacts, implementing policies that limit global facilities and auditing units helps to minimize the likelihood that a malicious package will reach development or production environments. Resources such as JFrog's research offer indicators, samples and technical details that allow safety managers and equipment to identify and block variants: GhostClaw - JFrog report. It is also useful for developers to regularly review the best practices of npm and the security guides maintained by the community.

The episode recalls that security in the package ecosystem is not just a matter of private repositories or large companies: any developer who uses npm from the terminal can be objective if he trusts packages with legitimate appearance. Maintaining caution, limiting privileges and updating and rotating credentials proactively are habits that, in this case, make the difference between a contained intrusion and a serious gap.