GhostClaw Haunts Devs: A Single npm Install Costs 178 Coders Their Keys, Wallets, and AI Bag

A fresh macOS-exclusive plague dubbed GhostClaw has been quietly draining developer crypto wallets. The source is a fraudulent OpenClaw CLI package uploaded to npm by the user openclaw-ai on March 3. It sat in the registry like a bad smell for a full week, compromising 178 developers before its removal on March 10.

Executing npm install triggers a hidden script that deploys GhostClaw globally and kicks off a heavily obfuscated setup file. The phony OpenClaw interface then hits you with a macOS Keychain prompt for your password, validates it using a native tool, and proceeds to download a second-stage JavaScript payload—GhostLoader—from a remote command server.

Here's where GhostLoader gets to work, performing a digital strip-search: it rummages through Chromium browsers, the macOS Keychain, system storage, and even clones live browser sessions. Every three seconds it checks your clipboard, hoping to catch a private key or seed phrase trying to sneak by. It also nabs cloud credentials, SSH keys, and API tokens for AI services like OpenAI and Anthropic. All the loot is shipped out via Telegram, GoFile, and command servers, and the malware can execute further commands, drop more payloads, or establish new backdoors—basically turning your machine into a crypto ATM for a remote operator.

A separate but equally grifty campaign rides the OpenClaw hype train on GitHub. Attackers open issue threads, tag developers, and dangle the carrot of a $5,000 CLAW token airdrop. Suckered devs are sent to a spoofed site impersonating openclaw.ai, which then asks them to connect a crypto wallet. The moment they do, the wallet is instantly emptied. This phishing operation uses a redirect chain through token-claw.xyz and a command server at watery-compost.today (because nothing says "serious threat actor" like a domain named after soggy garden waste). A malicious JavaScript file pilfers wallet addresses and transaction data before wiping local storage to cover its tracks. OX Security pinpointed a wallet address likely holding the stolen funds.

Both attack methods are pure social engineering, preying on developers who've shown interest in OpenClaw repos. The moral of the story: never connect a wallet to a random website, and treat unsolicited GitHub token offers with the same skepticism you'd apply to a DM from a "Satoshi" account.