What You Need to Know:
- A newly identified malware named ModStealer is successfully evading many antivirus software and specifically targeting crypto wallet data.
- ModStealer utilizes obfuscated NodeJS scripts to overcome typical antivirus protections, being distributed via dubious recruitment ads aimed at developers.
- This malware operates across multiple operating systems including Windows, Linux, and macOS, facilitating data extraction, clipboard manipulation, and remote code execution.
A new type of malware designed intentionally for stealing cryptocurrency wallet data has been circumventing nearly every key antivirus platform, according to security experts from Mosyle, a company specializing in Apple device security.
Identified as ModStealer, the infostealer has remained undetected for almost a month. Mosyle researchers indicate this malware spreads through fraudulent recruitment ads that target tech professionals, leveraging highly obfuscated NodeJS scripts to elude detection from signature-based antivirus defenses.
This sophisticated approach means the malware’s code has been obscured in ways that effectively hide it from antivirus algorithms that try to identify known patterns or signatures of threats.
Consequently, attackers can embed harmful commands in systems without being flagged by traditional security checks. Unlike most malicious software aimed at Mac users, ModStealer exhibits cross-platform capabilities, impacting both Windows and Linux systems. Its primary function is collecting sensitive data and is believed to include built-in instructions to target up to 56 different browser wallet extensions, extracting private keys, login credentials, and certificates.
Additionally, ModStealer can hijack clipboard contents, capture screens, and execute remote commands, giving attackers extensive control over compromised devices. In macOS environments, the malware maintains persistence by embedding itself as a LaunchAgent using Apple’s launch functionalities.
Mosyle points out that this operation aligns with the Malware-as-a-Service model, where developers offer pre-made tools to affiliates lacking advanced technical skills. This trend has intensified the prevalence of infostealers in 2025, with reports indicating a 28% rise from the previous year.
This discovery follows recent attacks involving npm packages where malicious scripts like colortoolsv2 and mimelib2 managed to hide second-stage malware using Ethereum smart contracts. In these instances, attackers exploited obfuscation tactics and trusted developer resources to dodge detection.
ModStealer extends this modus operandi beyond package managers, showcasing the escalating sophistication of cybercriminals in breaching developer environments and targeting crypto wallets directly.
