According to a report by TechFlow on March 23, a piece of malware called GhostClaw has recently launched attacks on encrypted wallets on macOS, primarily targeting the developer community.
The malware was uploaded to the npm registry as a fake OpenClaw CLI installer under the account name openclaw-ai . It went live on March 3 and was removed on March 10, infecting 178 developers during its lifetime. After installation, the malware gained system privileges by tricking users into entering their macOS password, and then downloaded the second-stage payload GhostLoader from a remote command and control (C2) server to steal data and gain remote access.
GhostLoader can scan the Chromium browser, macOS Keychain, and local storage to extract private keys, seed phrase, SSH keys, cloud credentials, and AI platform API tokens. It also monitors the clipboard every 3 seconds to capture encrypted sensitive data. The stolen data is transmitted to the attacker via Telegram, GoFile, and command servers.
