Blockchain

A new malware called GhostClaw is targeting crypto wallets on macOS devices.

2026-03-23 10:36:28

GhostClaw Malware Targets macOS Crypto Wallets—Disguised as OpenClaw Tool, Infected 178 Developers

A new threat is lurking in the npm registry. GhostClaw, a malware disguised as the legitimate OpenClaw CLI tool, infected 178 developers before being pulled on March 10. The attack triggered when devs ran "npm install," which silently installed the malicious package and hid behind obfuscated config files.

7707f20d99e05cdb1853b083350e93c4.png

Once inside, GhostClaw went to work. It scans the clipboard every three seconds—grabbing private keys, seed phrases, and public keys. Then it downloads a second-stage payload, GhostLoader, which digs through Chromium browsers, macOS keychain, and system storage for crypto wallet data. It clones browser sessions to hijack logged-in wallets and steals API tokens from AI platforms like OpenAI and Anthropic. All stolen data is funneled out via Telegram, GoFile, and command servers. Another reminder: open-source tools come with open risks.

DISCLAIMER:

1. All content on this website (including but not limited to articles, data, charts, and analyses) is for general informational purposes only and does not constitute any form of investment advice, trading recommendation, or financial guidance.

2. Cryptocurrencies and digital assets are subject to extreme price volatility and high investment risk; you may lose part or all of your principal. Past performance does not predict future results.

3. The information on this website is based on sources we believe to be reliable, but we do not guarantee its accuracy, completeness, or timeliness. Any investment decisions made based on this website’s information are at your own risk.

4. We strongly recommend that you conduct your own thorough research and consult an independent, licensed financial advisor before making any investment decisions.

Recommended reading: