GhostClaw Mimic as OpenClaw to Steal Everything from Developers

A rogue npm package that poses as a reliable developer tool has surfaced as part of a dangerous malware campaign that targets software developers This article explores ghostclaw malware internally. . It silently drains credentials, cryptocurrency wallets, SSH keys, browser sessions, and even iMessage conversations.

Published under the name @openclaw-ai/openclawai, the package launches a deeply hidden infection chain that runs completely in the background while posing as a genuine command-line installer known as "OpenClaw Installer." Although the larger campaign is monitored under the name GhostClaw, the malware internally identifies itself as GhostLoader. The malware specifically targets developers whose daily workflows depend on the npm ecosystem.

Through a postinstall hook, the package discreetly re-installs itself globally after a developer executes the install command, guaranteeing that the malicious binary ends up on the system PATH undetected. After installing this package, developers should remove the.npm_telemetry directory, stop any active monitor.js processes, check shell configuration files like ~/.zshrc, ~/.bashrc, and ~/.bash_profile for injected hook lines, and completely uninstall the package. System passwords, SSH keys, API tokens for AWS, GCP, Azure, OpenAI, Stripe, and GitHub, as well as any exposed crypto wallet seed phrases, must all be changed right away.

To stop unwanted access, open browser sessions on Google, GitHub, and any other platform should be terminated.

A full system re-image is highly advised due to the extent to which this malware embeds itself. Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.