A stealthy new threat called ModStealer has been identified as capable of bypassing major antivirus engines and stealing data from browser-based crypto wallets on Windows, macOS and Linux.
Researchers report the malware was distributed via fake recruiter ads targeting developers — a deliberate tactic to reach machines likely to have Node.js environments installed and accept unvetted packages.
Once executed, ModStealer scans systems for browser wallet extensions, system credentials and digital certificates, then exfiltrates the collected data to remote command-and-control (C2) servers, according to the disclosure.
Slowmist CISO Shān Zhang told reporters ModStealer uses strong obfuscation and a zero-detection execution chain to evade signature-based tools, and notably supports multiple operating systems — a departure from many stealers that focus on a single platform.
On macOS the malware sets up persistence by masquerading as a background helper so it runs at startup without obvious prompts. Visible signs of infection include a hidden file named .sysupdater.dat and unexpected connections to suspicious servers.
The discovery arrives after a related supply-chain alert from Ledger CTO Charles Guillemet, who disclosed attackers briefly compromised an NPM developer account and attempted to push malicious code capable of silently replacing wallet addresses during transactions.
The practical risk is clear: a single code execution can expose private keys, seed phrases and exchange API keys, enabling immediate asset loss. At scale, harvested browser-extension data could power on-chain thefts and amplify supply-chain threats across the ecosystem.
Security teams and developers should verify package integrity, avoid running unvetted installers, and monitor for unusual outbound connections and the .sysupdater.dat artifact. Users relying on software wallets are advised to consider hardware custody or pause transfers until systems are verified clean.
Source: Decrypt. Read the original coverage for full details.