ModStealer, a heavily obfuscated infostealer discovered by Apple-device security firm Mosyle, is silently targeting browser-based crypto wallets and evading detection by all major antivirus engines. Active for nearly a month, the malware uses a scrambled NodeJS script to slip past signature-based scanners and execute without raising alarms.
Researchers say ModStealer carries pre-loaded instructions to attack 56 browser wallet extensions, aiming to extract private keys, credentials and certificates. It also supports clipboard hijacking, screen capture and remote code execution, giving operators broad access to compromised systems. On macOS the strain achieves persistence by installing itself as a LaunchAgent.
Distribution appears focused: attackers are using malicious recruiter ads that target developers, and the build matches a Malware-as-a-Service model—ready-made tools sold to affiliates with limited technical skills. That trend has helped drive a wider spike in infostealers this year; Jamf reported a 28% increase in 2025.
For crypto users the risk is direct and material: stolen private keys mean irreversible fund loss. Security steps that reduce exposure include avoiding unverified links and job ads, vetting browser extensions, using hardware wallets or secure custody for sizable holdings, and rotating exposed keys immediately. Developers should also audit installed packages and monitor for strange network activity.
Why this matters: ModStealer shows attackers are escalating beyond malicious npm packages into developer-focused delivery channels, making browser-based wallets a higher-risk surface. Assume keys stored in browser extensions are at risk until devices and extensions are validated as clean.
Source: CoinDesk. Read the original coverage for full details.