Emerging Threat: Malicious npm Package `@openclaw-ai` Targeting macOS Keychains
Has anyone caught wind of this latest npm supply chain attack? Researchers flagged a package named @openclaw-ai/openclawai that pretends to be an installer for OpenClaw. Instead of the tool you expect, it drops a Remote Access Trojan (RAT) and goes straight for macOS credentials.
Uploaded on March 3 by "openclaw-ai," it’s sitting right there in the public registry. While 178 downloads isn't massive, the precision here is concerning—specifically targeting macOS keychains. It’s a classic typosquat/brandjacking attempt relying on the trust we put in the registry.
If you're managing CI/CD or dev environments, you need to verify your dependency trees immediately. Most of these malicious packages execute via preinstall or postinstall hooks in package..
You can scan your environments for this specific package name using this bash snippet:
find . -type d -name "node_modules" -prune -exec grep -l "@openclaw-ai/openclawai" {} \;
For broader defense, ensure your lockfiles (package-lock.) are checked into your repo and verified. Also, consider blocking execution of unsigned binaries spawned from Node processes on dev workstations.
ps aux | grep -i "node.*openclaw"
Given that npm audit often misses these brand-new packages until a vulnerability is assigned (which might be too late), what tools are you guys using to block unknown or unverified packages in real-time? Are you using private registries with allow-listing?
We actually saw a similar pattern last month. In our SOC, we've set up alerts for any node process spawning a shell or accessing the macOS Keychain directly. It catches a lot of these postinstall script shenanigans. If you're using Elastic, look for process.parent.name: "node" AND process.name: ("sh" OR "bash" OR "python"). Usually, legit builds don't need to shell out during npm install.
As a sysadmin, I'm less interested in detection and more in prevention. We've moved to a private npm registry that proxies the public registry but uses an allow-list. If a package isn't pre-approved, the install fails. It stops these typosquat packages dead in their tracks before they ever hit a dev's machine.
Interesting target. OpenClaw seems to be AI-related, meaning attackers are riding the current hype wave. Developers tend to install npm packages for AI tools blindly. I'd recommend checking the package author's history. If "openclaw-ai" has no other repos or was created yesterday, don't install it. Trust, but verify.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access