Malicious npm Package Posing as OpenClaw Installer Deploys RAT, Steals macOS Credentials

A malicious npm package named “@openclaw-ai/openclawai” has been discovered that impersonates an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive macOS credentials, including Keychain data, browser information, and cryptocurrency wallets. The package uses social engineering tactics, such as a fake installation interface and a convincing iCloud Keychain prompt, to trick users into revealing their system passwords, enabling sophisticated data theft and persistent remote control.