A malicious npm package impersonating an installer for the Openclaw artificial intelligence (AI) agent framework is spreading credential-stealing malware designed to quietly take control of developer machines.
Security Researchers Expose Malicious Openclaw npm Package
Security researchers say the package is part of a supply-chain attack aimed at developers working with Openclaw and similar AI-agent tooling. Once installed, the package launches a staged infection that ultimately deploys a remote access trojan known as Ghostloader.
The attack was identified by JFrog Security Research and disclosed between March 8 and March 9, 2026. According to the firm’s report, the package appeared on the npm registry in early March and had been downloaded roughly 178 times as of March 9. Despite the disclosure, the package remained available on npm at the time of reporting.
At first glance, the software looks harmless. The package uses a name that resembles official Openclaw tooling and includes ordinary-looking Javascript files and documentation. Researchers say the visible components appear benign, while the malicious behavior is triggered during the installation process.
When anyone installs the package, hidden scripts activate automatically. These scripts create the illusion of a legitimate command-line installer, displaying progress indicators and system messages designed to mimic a real software setup routine.
During the installation sequence, the program presents a fake system authorization prompt requesting the user’s computer password. The prompt claims the request is necessary to securely configure credentials for Openclaw. If the password is entered, the malware gains elevated access to sensitive system data.
Behind the scenes, the installer retrieves an encrypted payload from a remote command-and-control server controlled by the attackers. Once decrypted and executed, that payload installs the Ghostloader remote access trojan.
Researchers say Ghostloader establishes persistence on the system while disguising itself as a routine software service. The malware then periodically contacts its command-and-control infrastructure to receive instructions from the attacker.
The trojan is designed to collect a wide range of sensitive information. According to JFrog’s analysis, it targets password databases, browser cookies, saved credentials, and system authentication stores that may contain access to cloud platforms, developer accounts, and email services.
Cryptocurrency users may face additional risk. The malware searches for files associated with desktop crypto wallets and browser wallet extensions and scans local folders for seed phrases or other wallet recovery information.
The tool also monitors clipboard activity and can harvest SSH keys and development credentials commonly used by engineers to access remote infrastructure. Security experts say this combination makes developer systems particularly attractive targets because they often hold credentials to production environments.
In addition to data theft, Ghostloader includes remote access capabilities that allow attackers to execute commands, retrieve files, or route network traffic through the compromised system. Researchers say these features effectively turn infected machines into footholds inside developer environments.
The malicious software also installs persistence mechanisms so it restarts automatically after system reboots. These mechanisms typically involve hidden directories and modifications to system startup configurations.
JFrog researchers identified several indicators associated with the campaign, including suspicious system files tied to an “npm telemetry” service and connections to infrastructure controlled by the attackers.
Cybersecurity analysts say the incident reflects a growing trend of supply-chain attacks targeting developer ecosystems. As AI frameworks and automation tools gain traction, attackers are increasingly disguising malware as helpful developer utilities.
Developers who installed the package are advised to remove it immediately, review system startup configurations, delete suspicious telemetry directories, and rotate passwords and credentials stored on the affected machine.
Security experts also recommend installing developer tools only from verified sources, reviewing npm packages carefully before global installation, and using supply-chain scanning tools to detect suspicious dependencies.
The Openclaw project itself has not been compromised, and researchers emphasize that the attack relies on impersonating the framework through a deceptive package name rather than exploiting the official software.
FAQ 🔎
- What is the malicious Openclaw npm package?The package impersonates an OpenClaw installer and secretly installs GhostLoader malware.
- What does the Ghostloader malware steal?It collects passwords, browser credentials, crypto wallet data, SSH keys, and cloud service credentials.
- Who is most at risk from this npm malware attack?Anyone who installed the package, especially those using AI frameworks or crypto wallet tools, may have exposed credentials.
- What should people do if they have installed the package?Immediately remove it, check system startup files, delete suspicious directories, and rotate all sensitive credentials.