Installing OpenClaw? Watch Out — This Fake npm Package Deploys a RAT and Steals Everything on Your Mac

Supply chain attacks on npm are nothing new, but this one caught my attention with its sheer level of polish. The attacker didn't just throw together a quick credential stealer — they built a full social engineering pipeline with a convincing fake CLI, native macOS dialogs, and a multi-stage encrypted payload. Let's tear it apart.

What Was Found?

Security researchers at JFrog discovered a malicious npm package called @openclaw-ai/openclawai. It impersonates OpenClaw (a legitimate open-source, multi-channel AI gateway) and deploys a full-featured remote access trojan (RAT) that exfiltrates virtually everything from your macOS system.

The kicker? The package is still live on npm as of this writing. You can download it right now.

Let's take a look at the actual npm metadata:

1$ npm view @openclaw-ai/openclawai
2
3@openclaw-ai/openclawai@1.5.15 | ISC | deps: none | versions: 2
4openclaw-ai installer
5https://openclaw.com
6
7bin: openclaw
8
9dist
10.tarball: https://registry.npmjs.org/@openclaw-ai/openclawai/-/openclawai-1.5.15.tgz
11.shasum: 5f96e92cc2aaab51f45a20e34f6f4aef0d4e8abd
12.integrity: sha512-XXXXXXXXXXXXXXXXXXXXXX
13.unpackedSize: 70.6 kB
14.fileCount: 7
15
16maintainers:
17- openclaw-ai <vexewatupo329@gmail.com>
18
19dist-tags:
20latest: 1.5.15
21
22published 4 days ago by openclaw-ai <vexewatupo329@gmail.com>

Red flags everywhere:

• deps: none — Zero dependencies. An "installer" with zero deps? That's suspicious by itself.
• Maintainer email vexewatupo329@gmail.com — Clearly a throwaway address.
• Only 2 versions (1.5.14 and 1.5.15), published March 3 and March 6, 2026 — fast in, fast out.
• Unpacked size 70.6 kB, 7 files — Small footprint, but malware doesn't need much.
• bin field points to scripts/setup.js — The entry point IS the malicious script.

Compare this with the legitimate OpenClaw package:

1$ npm view openclaw
2
3openclaw@2026.3.8 | MIT | deps: 27 | versions: 55
4The open-source, multi-channel AI gateway

The real package is openclaw (by steipete) — 27 dependencies, 55 versions, MIT license. The malicious one uses a scoped name @openclaw-ai/openclawai to ride on the brand. Classic typosquatting with a twist.

Hands-On Analysis: What's Actually Inside the Package

Reading reports is one thing. I downloaded the tarball myself (without installing — no scripts executed) and tore it open.

The original malicious files, deobfuscation scripts, and partially decoded source are available on GitHub: xuemian168/openclaw-ai_openclawai

1# Safe download: tarball only, no postinstall execution
2$ npm pack @openclaw-ai/openclawai --pack-destination /tmp/analysis
3
4# Extract and inspect
5$ tar xzf openclaw-ai-openclawai-1.5.15.tgz
6$ ls -la package/
7Readme.md          598B   # Carefully crafted fake docs
8package.json       598B   # Entry point config
9scripts/build.js   590B   # Fake build script (just copies files)
10scripts/postinstall.js  389B   # Trigger: globally installs itself
11scripts/setup.js   63.6kB # ← The malicious payload, 63KB in a single line
12src/index.js       1.3kB  # Decoy SDK code
13src/index.d.ts     458B   # TypeScript definitions (window dressing)

package.json: Where It All Begins

1{
2  "name": "@openclaw-ai/openclawai",
3  "version": "1.5.15",
4  "description": "🦞 OpenClaw Installer - Integration utilities",
5  "bin": { "openclaw": "./scripts/setup.js" },
6  "dependencies": {}
7}

Notice: no explicit postinstall hook in the scripts field — it's hidden in the scripts/postinstall.js file (npm auto-detects lifecycle script files in the scripts/ directory). Sneaky.

postinstall.js: The Trigger

1#!/usr/bin/env node
2'use strict';
3const { execSync } = require('child_process');
4
5console.log('\n📦 Installing additional dependencies...');
6try {
7    execSync("npm i -g @openclaw-ai/openclawai", { stdio: 'inherit' });
8    console.log('\n✔ Dependencies installed successfully.\n');
9} catch (e) {
10    console.log('\n⚠ Optional dependency installation had warnings (continuing)\n');
11}

Dead simple. After local install, it re-installs itself globally via npm i -g — registering the openclaw command in your PATH. Note the catch block — even if global install fails, it silently continues. Fail gracefully... for the attacker.

src/index.js: The Decoy

1function useAsyncState(promiseFn, options = {}) {
2    // ... a perfectly harmless async state management utility
3}
4function init(config = {}) {
5    return { ready: true, version: '1.5.14', config };
6}

This code is completely benign — with proper JSDoc comments, TypeScript definitions, and usage examples in the README. Its sole purpose is to make you think "oh, it's just a simple utility library" and never bother opening scripts/setup.js. Classic misdirection.

setup.js: The 63KB Payload

Here's the main event. 63,567 characters, compressed into a single line, obfuscated with the full obfuscator.io suite:

1#!/usr/bin/env node
2const _0x845d0a=_0x55c1;(function(_0x2c7d24,_0x2c5a61){const _0x5d0ec1=_0x55c1,_0x1664eb=_0x2c7d24();while(!![]){try{const _0x3564f8=-parseInt(...
3// ... 63,567 characters, 860 encrypted string references

Completely unreadable at first glance. But I wrote a safe deobfuscation script that runs only the string decoder inside a Node.js VM sandbox (without executing the malicious logic), successfully decoding 860 encrypted strings. Here's what I found:

Fake Installation UI Strings

1🦞 OpenClaw installed successfully!
2✓ Node.js v25.6.1 found
3  · Active Node.js: v25.6.1 (/opt/homebrew/bin/node)
4  · Active npm: 11.9.0 (/opt/homebrew/bin/npm)
5✓ Git already installed
6✓ Detected...
7Installing OpenClaw...
8Finalizing installation...
9Preparing...

The code includes a full realisticProgressBar() function with █ and ░ characters and randomized delays to simulate authentic installation. It even reads your actual Node.js version in real-time. Honestly, this UI is more polished than some legitimate open-source projects — just deployed for the wrong purpose.

AppleScript Social Engineering Dialog

1osascript
2Authorization Required
3Authentication failed. Please try again
4do shell script \...

It uses osascript to invoke native macOS AppleScript dialogs. The title reads "Authorization Required" — indistinguishable from a real system prompt. It even handles wrong passwords with a retry message. The attacker's "customer service" is better than some real apps.

Full Disk Access (FDA) Social Engineering

1OpenClaw requires Full Disk Access...
2preferences:com.apple.preference.security?Privacy_AllFiles
31. Click the ... the switch ON
4Terminal (or your IDE)
5You need to restart your terminal after granting access

If the script detects it doesn't have FDA, it displays a dialog with step-by-step instructions to grant Full Disk Access:

1. Automatically opens System Preferences to the Privacy page (Privacy_AllFiles)
2. Tells you exactly which switch to flip
3. Reminds you to restart your terminal

The attacker literally wrote a user guide for victims. That's a new level of audacity.

Encrypted Payload Delivery

1createDecipheriv    → AES-256 decryption
2randomBytes         → Cryptographic random
3child_process       → Subprocess execution
4execPath            → Node.js executable path
5unlinkSync          → Delete temp files

Cross-Platform Support (Windows Too)

1$ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext
2ValidateCredentials('...')
3Add-Type -AssemblyName System.*
4-NoProfile -NonInteractive -Command

The malware also has a Windows branch — using PowerShell's DirectoryServices.AccountManagement to validate Windows domain credentials. macOS users aren't the only targets.

Suspicious Identifiers

1complexarchaeologist    → Likely a C2 identifier/subdomain
2pipe                    → Pipe communication
3vault                   → Disguised as secure storage
4Wallet Sync             → Disguised as wallet synchronization

complexarchaeologist — the attacker's chosen codename. "Excavating" other people's data, perhaps?

Attack Chain: From Install to Total Compromise

The attack flow is designed with remarkable attention to detail, unfolding across multiple stages.

Stage 1: Global Install + PATH Hijacking

After installation, postinstall.js triggers a global install. The bin field takes effect, and the openclaw command now points to scripts/setup.js. From this point on, typing openclaw in your terminal executes the malicious script.

One line of npm i -g — that's all it takes for PATH hijacking.

Stage 2: Social Engineering

setup.js acts as the first-stage dropper, and its performance is Oscar-worthy:

1. Displays a convincing fake CLI installer — complete with realistic progress bar animations and your actual Node.js version
2. Shows a forged iCloud Keychain authorization prompt — via native osascript AppleScript dialogs

Think about it — if you're a macOS developer and you see a Keychain authorization prompt after installing a tool, you'll probably type in your password without a second thought. And just like that, your system password is gone.

Stage 3: Encrypted Payload Delivery

While you're watching the fake installation, the script is busy in the background:

• Fetches an encrypted second-stage JavaScript payload from C2 server trackpipe[.]dev
• Decrypts it using AES-256 via createDecipheriv
• Writes to a temp file and spawns it as a detached child process
• Deletes the temp file via unlinkSync — covering its tracks

If it detects no Full Disk Access, it pops up an AppleScript dialog that opens com.apple.preference.security?Privacy_AllFiles directly, walking you through enabling FDA for Terminal.

Granting FDA to the attacker means your Apple Notes, iMessage, Safari history, and Mail data are all exposed. You just opened your own front door for them.

Stage 4: Comprehensive Data Theft

The second-stage payload contains approximately 11,700 lines of code — a mature infostealer + RAT framework. Internally, the malware identifies itself as "GhostLoader".

The scope of data theft is staggering:

At this point you have to wonder: did you install an npm package or hire a moving company?

Stage 5: Data Exfiltration

After collecting everything, the malware:

1. Compresses all data into a tar.gz archive
2. Exfiltrates through three channels simultaneously:
   • Direct upload to C2 server
   • Via Telegram Bot API
   • Upload to GoFile.io

Triple redundancy — don't put all your eggs in one basket, right? This attacker's operational resilience is ironically better than some startups'.

Stage 6: Persistent Residence

Think it's done after stealing your data? Not even close. The malware enters a persistent daemon mode:

• Monitors clipboard every 3 seconds — matching 9 predefined patterns:
  • Private keys, WIF keys, SOL private keys, RSA private keys
  • BTC addresses, ETH addresses
  • AWS Keys, OpenAI Keys, Strike Keys
• Real-time iMessage chat monitoring
• Running process tracking

It's sitting in your system, waiting for the moment you copy-paste a crypto wallet address. Got it. Thanks.

Stage 7: Remote Control

The RAT accepts commands from the C2 server including:

• Execute arbitrary shell commands
• Open URLs in the victim's browser
• Download additional payloads
• Upload files
• Start/stop a SOCKS5 proxy
• Clone browser profiles and launch in headless mode
• Self-destruct + self-update

The browser cloning capability is especially dangerous — it launches a headless Chromium instance using the victim's existing browser profile (cookies, sessions, history). The attacker doesn't need your password. They get a fully authenticated browser session. They don't use your computer — they become you.

Lessons Learned

This case offers several important takeaways:

1. Always verify the package name — openclaw ≠ @openclaw-ai/openclawai. Read carefully before you install.
2. Watch for postinstall hooks — Use --ignore-scripts when installing untrusted packages.
3. Never enter your password in a CLI prompt — Any command-line tool asking for your system password should trigger alarm bells. Ask yourself three times: "Is this legitimate?"
4. Check maintainer info — Throwaway emails, minimal versions, zero dependencies on an "installer" are all red flags.
5. Run npm view first — A 10-second check before installing an unfamiliar package can save you.

1# Takes 10 seconds. Could save everything.
2npm view <package-name>

JFrog security researcher Meitar Palas summed it up well:

"The @openclaw-ai/openclawai package combines social engineering, encrypted payload delivery, broad data collection, and a persistent RAT into a single npm package. The polished fake CLI installer and Keychain prompt are convincing enough to extract system passwords from cautious developers, and once captured, those credentials unlock macOS Keychain decryption and browser credential extraction that would otherwise be blocked by OS-level protections."

The scariest part of this package isn't the technical sophistication — it's how well the social engineering is executed. The progress bar, the version detection, the Keychain prompt, the FDA tutorial — every step exploits a developer's habitual trust. Next time you run npm install, take a closer look. In the npm ecosystem, "npm view before you install" is a survival skill.