Rewards Hub The GhostClaw malware has been identified as targeting macOS crypto wallets, masquerading as an OpenClaw CLI tool npm package. Uploaded by "openclaw-ai" on March 3 and removed on March 10, the malware infected 178 developers. Once installed, it steals private keys, wallet access, and sensitive data, including macOS Keychain passwords, cloud credentials, SSH keys, and AI configurations. It scans the clipboard every three seconds to capture private keys, mnemonics, and transaction data, using a second-stage payload, GhostLoader, for data theft and remote access. Stolen data is sent to Telegram, GoFile, and command servers.
Additionally, OX Security revealed another attack using GitHub to lure developers with a fake $5,000 CLAW token offer, directing them to a counterfeit openclaw[.]ai site to connect wallets, leading to fund theft. The attack links to token-claw[.]xyz and watery-compost[.]today, both relying on social engineering tactics.
GhostClaw Malware Targets macOS Crypto Wallets, Infects 178 Developers
Disclaimer: The content provided on Phemex News is for informational purposes only. We do not guarantee the quality, accuracy, or completeness of the information sourced from third-party articles. The content on this page does not constitute financial or investment advice. We strongly encourage you to conduct you own research and consult with a qualified financial advisor before making any investment decisions.