A newly identified malware called ModStealer is putting cryptocurrency users in check macOS, Windows and Linux, with a special focus on browser-based wallets and login credentials.
According to security firm Mosyle, the malicious code He spent almost a month without being detected by major antivirus engines after being uploaded to VirusTotal, increasing the risk for those who rely solely on signature-based defenses.
What is ModStealer and how does it work?
ModStealer is a information thief Aimed at emptying wallets and collecting sensitive data. It uses a script Heavily obfuscated JavaScript/NodeJS to bypass known signatures, facilitating silent execution and data exfiltration without raising suspicion.
Once the computer is compromised, the malware enables clipboard capture, screenshots and remote command execution, giving attackers extensive control over the affected system.
Researchers have also observed a specific logic for attacking 56 wallet extensions in browsers, including Safari extensions and Chromium-based browsers, with the goal of extracting private keys, certificates, and credential files.
Infection routes: fake jobs targeting developers
The campaign is disseminated through fake job ads targeting developers and creators of the Web3 ecosystem. In many cases, attackers ask to complete “test tasks” or download supposedly harmless packages that actually install ModStealer code.
This approach looks for teams where there is already Node.js or similar development environments, maximizing the probability of script execution and minimizing alerts during the installation process.
Persistence in macOS and command and control infrastructure
On Apple devices, malware abuses launchctl to register as LaunchAgent and ensure its permanence after reboots, integrating itself as a background process without attracting the user's attention.
The stolen information is sent to a server Command and Control (C2) hosted in Finland, although the infrastructure seems head through Germany to hide the real origin of the operators.
Signs of compromise include the presence of a hidden file “.sysupdater.dat” and unusual outbound connections to suspicious domains, useful signals for incident response teams.
A case of Malware-as-a-Service in full expansion
Researchers place ModStealer within the model Malware-as-a-Service (MaaS), where developers sell ready-made packages to affiliates with little technical experience, facilitating the proliferation of infostealers.
Along the same lines, industry reports, such as those from Jamf, point to significant increases in this type of threats in Mac environments, a trend that reinforces the need for security controls beyond simple signature detection.
Impact on the crypto ecosystem and recent supply chain attacks
The discovery coincides with incidents in NPM, where malicious packages (such as colortoolsv2 and mimelib2) attempted exchange destination addresses in transactions on Ethereum, Solana, and other networks, leveraging developer trust in popular repositories.
Following warnings from Ledger CTO Charles Guillemet, the direct impact remained limited, with approximate losses of $1.000, and teams like Uniswap, MetaMask, Aave, Sui, Trezor, and Lido reporting that they were not affected; still, the episode shows how these types of attacks escalate rapidly.
Practical measures for users and technical teams
Against threats like ModStealer, it is advisable to strengthen the wallet hygiene and endpoint security, combining good practices with behavior-based monitoring.
- Use hardware wallets and confirm the destination address on screen (check at least the first and last six characters).
- Maintain a dedicated browser or device profile for the wallet; interact only with trusted extensions.
- Save seed phrases offline; enable MFA and, where possible, use FIDO2 passcodes.
- Strictly separate the development environment (“dev box”) from the wallet (“wallet box”) and open testing tasks in one disposable virtual machine.
- Verify recruiters and domains; request that tests be shared through public repositories.
- Apply continuous monitoring and behavioral detection; maintain OS, browsers and extensions up to date.
For developers, it is key verify legitimacy of any work proposal and be wary of files or scripts received through unverified channels, especially if they are related to Node.js.
ModStealer confirms that information theft is evolving towards more targeted and discreet campaigns; the combination of Obfuscation, persistence, and C2 It makes detection difficult, but a strategy that includes environment segmentation, hardware wallets, and behavior-based detection can significantly reduce the attack surface.
