Malware GhostClaw steals developers' encrypted wallet data through npm packages

By: rootdata|2026/03/23 09:42:00

According to Cryptopolitan, a new type of malware called GhostClaw is targeting cryptocurrency wallets on macOS devices.

This malware disguised itself as a legitimate OpenClaw CLI tool and was present in the npm registry for a week before being removed after infecting 178 developers. Once developers run the "npm install" command, a hidden script globally installs the GhostClaw package and evades detection through obfuscated configuration files. GhostClaw scans the clipboard every three seconds, capturing private keys, seed phrases, public keys, and other cryptocurrency wallet and transaction-related data.

After the second stage payload is downloaded, GhostLoader scans for cryptocurrency wallet data in the Chromium browser, macOS Keychain, and system storage, clones browser sessions to gain access to logged-in wallets, and steals API Tokens that connect to AI platforms such as OpenAI and Anthropic. The stolen data is sent to the attackers via Telegram, GoFile, and command servers.

-- Price

Mainstream exchanges are, on one hand, massively delisting coins, and on the other hand, massively listing tokenized stock assets. Essentially, this is a supply-side reform aimed at "bad money." The quality of the asset targets and the compliance of the platforms will become the focus of competition...

Before the $75,000 Gamma level, both bulls and bears are waiting for a signal

The selling pressure is being digested, and the belief is still on the way.

Business Opportunities of Tokenized Stocks

In this article, we will outline the lifecycle of tokenized stocks, analyze the current market landscape, and highlight the emerging business opportunities.

In-depth research report on the Resolv protocol hacking incident, who is the final payer?

This incident reveals a fundamental weakness in Delta's stablecoin - the coupling point between the minting logic and off-chain signatures/oracles is the most vulnerable attack surface of the system. Any capital efficiency design of "1 dollar minted for 1 dollar" must be predicated on extremely rigo...

Crypto Market Sees Large Liquidations: $272 Million in Long Positions Affected

Key Takeaways In the last 24 hours, $272 million worth of contracts were liquidated across the entire crypto…

Whale Increases BTC Shorts and Bets on Crude Oil: A Strategic Crypto Move

Key Takeaways A prominent whale, known as “UnRektCapital,” has strategically escalated its short position in Bitcoin while simultaneously…

Hackers in Brazil Use Fake Google Play Store to Steal Cryptocurrency

Key Takeaways Hackers in Brazil are exploiting fake Google Play Store pages to spread Android malware. Infected devices…

Exchanging 200,000 for nearly 100 million, DeFi stablecoins face another attack

DeFi project teams cannot assume that the modules they control are necessarily secure.

The underlying business agreement of the trillion-dollar Agent economy: Understanding ERC-8183, it's not just about payments, but the future

This article systematically analyzes the technical principles and commercial value of the ERC-8183 protocol from the dimensions of technical architecture, core mechanisms, application scenarios, and ecological collaboration.

When Wall Street's ETH begins to "yield": Looking at the asset properties of Ethereum from BlackRock's ETHB

ETH is undergoing a paradigm shift from a "volatile asset" to a "yield-generating cash flow asset."

The Power of Agency: The Agentic Wallet and the Next Decade of Wallets

In 1984, Apple killed the command line with a mouse. In 2026, Agent is killing the mouse.

Understanding x402 and MPP in One Article: Two Routes for Agent Payments

x402 makes payments within the agreement, while MPP makes system-level payments.

Particle Founder: The entrepreneurial insights I have gained the most from in the past year

Stop lean startup, stop lightning entrepreneurship, and think carefully about what your product aspirations are.

Quick Overview of Alliance ALL16 Demo Day: 18 New Projects Featuring Emerging Trends in Prediction Markets and AI Applications

ALL17 application deadline is March 25.

The Ethereum Foundation launches "Hardness," a dedicated team to safeguard the decentralized baseline

Hardness is a protocol-level commitment to the core attributes of Ethereum, including censorship resistance, privacy, security, and permissionlessness.

Morning News | Boya Interactive plans to invest no more than $70 million to purchase cryptocurrency; WeChat launches official lobster plugin; Bitcoin mining difficulty decreased by 7.76% to 133.79 T

Overview of Important Market Events on March 22

The competition for stablecoin yields, how has it stalled U.S. cryptocurrency regulatory legislation?

Congress has only a few weeks left to seek bank support for the CLARITY Act, or it may shelve the legislation due to the midterm elections.

This Week's News Preview | The joint cryptocurrency regulatory guidance document from the U.S. SEC and CFTC officially takes effect; Polymarket announces major news

Highlights of the week from March 23 to March 29.