Recently, a malware named GhostClaw targeted macOS crypto wallet users. Disguised as a legitimate OpenClaw CLI tool on the npm registry, it infected 178 developers before being removed on March 10. GhostClaw’s propagation and stealth highlight critical security risks for developers and wallet holders.
Malware Operation Mechanism
When users execute npm install, hidden scripts globally install the GhostClaw package, leveraging obfuscated configuration files to evade detection. The software scans the clipboard every three seconds, stealing private keys, mnemonics, and public keys. In a second stage, GhostLoader scans Chromium browsers, macOS keychains, and system storage for wallet data, even cloning browser sessions to access logged-in wallets.
Data Theft and Transmission
Stolen data is transmitted via Telegram, GoFile, and command servers to the attacker. The malware also exfiltrates API tokens linked to AI platforms, giving attackers control over connected services and increasing asset risk.
Role of KYT in Security Protection
Trustformer KYT systems use real-time on-chain analysis and anomaly detection to track unauthorized fund flows. Even if wallet private keys are compromised, KYT can monitor suspicious transactions and high-risk addresses, offering dynamic risk scoring and real-time alerts to detect potential attacks early.
Enhancing macOS Users’ On-Chain Asset Safety
Users should strictly verify the sources of CLI tools and npm packages to avoid untrusted downloads. Combined with KYT on-chain monitoring, digital asset protection is significantly enhanced, mitigating losses caused by malware.
Conclusion
The GhostClaw incident demonstrates that on-chain asset security requires both cautious user behavior and KYT-powered monitoring. Using Trustformer KYT multi-chain tracking and risk scoring, suspicious fund flows can be identified early, ensuring the safety of the digital asset ecosystem.