Summary

A malicious npm package disguised as an OpenClaw installer has been identified, deploying a remote access trojan (RAT) to steal sensitive data from macOS systems. The package, named "@openclaw-ai/openclawai," was uploaded to the npm registry by a user named "openclaw-ai."

Key Points

• The malicious package is named "@openclaw-ai/openclawai."
• It was uploaded to the npm registry on March 3, 2026.
• The package has been downloaded 178 times.
• The package deploys a remote access trojan (RAT) to steal macOS credentials.
• The package masquerades as an installer for OpenClaw.

Analysis

This incident highlights the ongoing threat posed by malicious packages in software repositories, which can easily be mistaken for legitimate software. The use of a RAT to steal sensitive data from macOS systems underscores the importance of verifying the authenticity of software packages before installation. The fact that the package has been downloaded 178 times indicates a potential risk to users who may have unknowingly compromised their systems.

Conclusion

IT professionals should exercise caution when downloading and installing packages from software repositories. It is crucial to verify the authenticity of packages and monitor for any unusual activity on systems that may indicate a compromise.