TLDR
- ModStealer malware targets cryptocurrency wallets and is undetected by antivirus tools.
- ModStealer spreads via fake recruiter ads and steals data from 56 browser wallet extensions.
- The malware includes remote code execution, clipboard capture, and screen capture features.
- The NPM supply chain attack used spoofed emails to hijack crypto transactions across chains.
A new malware strain called “ModStealer” has been uncovered by Apple device management and security firm Mosyle. The malware, which had gone undetected for nearly a month, is a cross-platform threat specifically designed to steal sensitive data. While it primarily targets cryptocurrency wallets, it also seeks to extract other critical information, including credentials and certificates, from infected devices.
Malware Distribution Through Fake Job Ads
According to Mosyle, ModStealer spreads through fake recruiter ads aimed at developers. The malware uses a heavily obfuscated JavaScript file to evade detection, which is a common tactic used by cybercriminals. Once executed, ModStealer targets 56 browser wallet extensions, including those for Safari. These extensions are specifically designed to extract private keys and account data, giving attackers access to users’ cryptocurrency holdings.
Beyond macOS, ModStealer is also capable of infecting Windows and Linux systems. Mosyle’s analysis reveals that the malware is highly effective in evading traditional antivirus tools. The use of JavaScript obfuscation, coupled with pre-loaded scripts targeting popular wallet extensions, makes detection and prevention particularly challenging.
Capabilities of ModStealer and Its Remote Control Features
The researchers also discovered that ModStealer is not limited to data theft. The malware includes features such as clipboard and screen capture, as well as remote code execution. This gives attackers near-total control over infected devices. On macOS systems, ModStealer utilizes Apple’s launchctl tool to persistently run as a LaunchAgent. This method allows the malware to silently exfiltrate stolen data to a remote server. The server appears to be located in Finland, although its infrastructure links suggest an operation based in Germany, potentially to obscure the actual location of the attackers.
The growing sophistication of ModStealer highlights the increasing danger posed by Malware-as-a-Service (MaaS) models. Cybercriminals are now able to purchase ready-made infostealers like ModStealer, making it easier for less technically skilled individuals to carry out attacks. This marks a concerning trend in the proliferation of malware tools designed to steal sensitive data from unsuspecting users.
NPM Attack Targets Crypto Users and Developers
Meanwhile, security concerns in the cryptocurrency space also surfaced earlier this week when Ledger CTO Charles Guillemet warned users about a widespread attack targeting Node Package Manager (NPM). Cybercriminals used spoofed NPM support emails to steal developer credentials, allowing them to publish malicious packages. These packages were designed to hijack crypto transactions across various blockchain networks, including Ethereum and Solana, by secretly swapping transaction destination addresses.
Despite the potential severity of the attack, Guillemet later confirmed that the compromise had been contained, with only a small amount of cryptocurrency stolen. Security teams from various crypto platforms, including Uniswap, MetaMask, and OKX Wallet, reported no impact from the attack. The incident was described as “lucky,” given the scale of the attack and the potential for much larger financial losses had the attackers been more stealthy.
