GhostClaw malware attacks macOS encrypted wallets, affecting 178 developers.

According to Cryptopolitan, malware called GhostClaw has been disclosed to target macOS encrypted wallets. An npm package disguised as the OpenClaw CLI tool was uploaded by "openclaw-ai" on March 3rd and removed on March 10th, infecting 178 developers during this period. After installation, the software steals private keys, wallet access, and sensitive data, including encrypted wallets, macOS Keychain passwords, cloud credentials, SSH keys, and AI configurations. It scans the clipboard every three seconds to obtain private keys, seed phrase, and transaction data, using a two-stage payload, GhostLoader, to achieve data theft and remote access. The data is sent to Telegram, GoFile, and command servers. Meanwhile, OX Security disclosed another attack that uses GitHub to distribute "$5,000 CLAW tokens" to developers, enticing them to visit a fake openclaw[.]ai website and connect to their wallets, thus triggering fund theft. The related links point to token-claw[.]xyz and watery-compost[.]today. Both types of attacks rely on social engineering techniques.