Devs looking for OpenClaw get served a GhostClaw RAT
Summary
A malicious npm package named '@openclaw-ai/openclawai' has been discovered posing as an OpenClaw installer but instead deploys a remote access trojan (RAT) called GhostLoader. This malware employs social engineering to steal system credentials and other sensitive data like browser data, cryptocurrency wallets, and SSH keys before establishing persistence.
IFF Assessment
The discovery of a sophisticated RAT that steals credentials and establishes persistence is detrimental to defenders.
Defender Context
Defenders need to be vigilant about the security of software supply chains, particularly in open-source package repositories like npm. Attackers are using deceptive naming and social engineering to trick developers into installing malicious code that can lead to credential theft and system compromise.