A newly uncovered cyber threat called ModStealer is making waves in the security community, after researchers revealed it has been actively stealing data for nearly a month without detection from traditional antivirus software.
The malware, discovered by Apple device management and security firm Mosyle, is not limited to macOS but works across platforms including Windows and Linux. Its primary objective is data theft, with a particular focus on cryptocurrency wallets, credential files, certificates, and configuration details.
Arin Waichulis
Fake Recruiter Ads as a Lure
According to Mosyle, ModStealer spreads through fake recruiter job postings aimed at software developers. Once activated, the malware deploys a heavily obfuscated JavaScript file to avoid detection and comes preloaded with scripts designed to target 56 browser-based crypto wallet extensions, including those in Safari. By extracting private keys and sensitive account information, attackers can take control of users’ digital assets.
Advanced Capabilities and Persistence
Beyond stealing wallet data, ModStealer can perform clipboard hijacking, screen capture, and remote code execution, giving cybercriminals near-complete access to compromised machines. On macOS, it maintains persistence by abusing Apple’s launchctl tool, running silently as a LaunchAgent. Stolen information is funneled to a remote server that appears to be located in Finland but is linked to infrastructure in Germany—likely an effort to disguise the attackers’ true location.
Mosyle also noted that ModStealer fits into the growing Malware-as-a-Service (MaaS) model, where ready-to-use infostealers are sold to affiliates, allowing cybercriminal groups with limited technical expertise to carry out sophisticated attacks.
“Signature-based protections alone are not enough,” Mosyle warned in its report, urging organizations and individuals to adopt behavior-based defenses, continuous monitoring, and heightened awareness to defend against emerging threats.
Update on the NPM attack: The attack fortunately failed, with almost no victims.🔒
— Charles Guillemet (@P3b7_) September 9, 2025
It began with a phishing email from a fake npm support domain that stole credentials and gave attackers access to publish malicious package updates. The injected code targeted web crypto activity,… https://t.co/Ud1SBSJ52v pic.twitter.com/lOik6k7Dkp
Crypto Users Face Growing Security Risks
The emergence of ModStealer comes on the heels of another attempted attack in the crypto sector. Earlier this week, Ledger CTO Charles Guillemet warned users to halt on-chain transactions following a Node Package Manager (NPM) supply chain attack. Hackers had spoofed NPM support emails to steal developer credentials, which were then used to publish malicious packages aimed at diverting funds on Ethereum, Solana, and other blockchains.
Fortunately, the incident caused minimal damage, with only around $1,000 in crypto stolen before the attack was shut down. Still, security experts stressed how devastating the outcome could have been if the malicious code had gone unnoticed longer.
In a separate analysis, ReversingLabs reported that attackers had recently experimented with Ethereum smart contracts to conceal malicious instructions within NPM packages—another example of how blockchain infrastructure is being exploited to spread malware.
A Persistent Threat Landscape
Together, these developments highlight the ongoing risk of crypto-focused malware and the sophistication of attackers who increasingly exploit trusted platforms and unsuspecting users. With ModStealer still active and new attack strategies emerging, experts emphasize that defense requires more than antivirus tools—it requires vigilance, layered security, and smarter user practices.
