Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials
Summary
Researchers found a malicious npm package disguised as an OpenClaw installer. This package, named '@openclaw-ai/openclawai,' deploys a RAT to steal macOS credentials and has been downloaded 178 times. The malicious package was uploaded to the npm registry on March 3, 2026.
IFF Assessment
This discovery is bad news for defenders as it represents a new attack vector via a popular package manager that can lead to credential theft and remote access.
Defender Context
Defenders should be vigilant about the security of supply chains, particularly within popular package registries like npm. Monitoring for newly published packages from unknown or suspicious publishers, especially those mimicking legitimate projects, is crucial. Organizations should implement robust dependency scanning and code analysis to detect and prevent the introduction of such malicious code into their development pipelines.