Cybersecurity researchers uncover GhostLoader malware hidden in fake OpenClaw npm package

A malicious npm package disguised as a legitimate AI tool to install the virally popular OpenClaw, but designed to steal system passwords and crypto wallets, has been identified by cybersecurity researchers. 

Following the discovery of this malware, experts are now pushing for a new trust infrastructure that will keep the intentions of users provable while AI agents act independently.

GhostLoader targets users on the popularity of OpenClaw and AI agents

Cybersecurity experts have found a malicious npm package designed to take advantage of the global rise in AI agent adoption. The package disguises itself as the installer for the popular OpenClaw AI tool, but it actually stealthily steals nearly every sensitive data point on a developer’s machine.

The npm package was found in a package.json file under the name @openclaw-ai/openclawai. Once it is installed, the script silently re-installs the package globally to ensure its binary is placed on the system PATH.

The first stage involves an obfuscated script named setup.js. To the user, this looks like a standard installation process with animated progress bars and realistic system logs. In reality, the script triggers a fake authorization prompt based on the user’s operating system, whether that’s macOS, Windows, or Linux, before the installation finishes.

Once the password is stolen, it is passed to a massive 11,700-line JavaScript bundle known as GhostLoader.

GhostLoader is a comprehensive info-stealer and Remote Access Trojan (RAT). It installs itself permanently in a hidden directory disguised as a telemetry service (.npm_telemetry). It also modifies shell configuration files such as .zshrc and .bashrc to ensure it restarts whenever the user opens a terminal.

The legitimate OpenClaw tool was originally developed in Austria as open-source software and is currently seeing massive adoption in Asia. Cryptopolitan recently reported that Baidu is adding the OpenClaw AI agent to its main smartphone search app, bringing the tool directly to a user base of approximately 700 million monthly active users. Baidu also plans to integrate OpenClaw into its e-commerce and digital services.

Shoppers use these AI agents to compare products and pay through services like Alipay without leaving the app, and GhostLoader specifically targets this by scanning for AI agent configurations.

It searches for credential stores associated with tools such as ZeroClaw, PicoClaw, and OpenClaw. If it finds these files, it can steal API keys and session states, allowing attackers to hijack the digital identity of the user’s AI agents.

Mastercard and Google jump on the agentic commerce bandwagon

With AI agent adoption on the rise, companies like Mastercard and Google have introduced a new trust infrastructure called Verifiable Intent.

Verifiable Intent creates a tamper-resistant, cryptographic record of exactly what a user authorized. Industry leaders have so far shown their support for the initiative. Google’s Stavan Parikh stated that a user’s intent must remain clear and provable as AI agents act independently.

Tom Adams, CTO at Adyen, stated that a verifiable, privacy-preserving way to confirm customer intent is now foundational for merchants. IBM’s Kirstin Kirtley Silva explained that Verifiable Intent makes user authorization simple and allows agents to act safely across different platforms.

The system uses Selective Disclosure, a technique that makes sure only the minimum necessary information is shared for a transaction.

If a malicious package like GhostLoader were to steal an agent’s configuration file in a Verifiable Intent system, the attacker wouldn’t be able to spend the user’s money because they would lack the specific, time-bound cryptographic proof of the user’s intent.

Cybersecurity firm CrowdStrike has warned that giving AI agents full access to business systems is inherently dangerous.

For those who have installed @openclaw-ai/openclawai, security analysts recommend checking your .zshrc and .bashrc files for any lines referencing npm_telemetry. Users are advised to remove the ~/.cache/.npm_telemetry/ directory and also change their system passwords, rotate all SSH keys, and move crypto funds to new wallets with new seed phrases.

Want your project in front of crypto’s top minds? Feature it in our next industry report, where data meets impact.