Apple device management and security firm Mosyle uncovered new malware dubbed “ModStealer” on Thursday — undetected by antivirus tools since first appearing nearly a month ago.
The malware doesn’t just target macOS systems, but is cross-platform and purpose-built for stealing data, Mosyle told 9to5Mac. ModStealer’s chief purpose is data theft — particularly targeting cryptocurrency wallets, credential files, configuration details, and certificates.
Mosyle found that ModStealer is spreading via fake recruiter ads targeting developers. The malware uses a heavily obfuscated JavaScript file to evade detection and includes pre-loaded scripts targeting 56 browser wallet extensions, including Safari, designed to extract private keys and sensitive account data. Windows and Linux systems are also at risk, according to Mosyle’s analysis.
Furthermore, Mosyle’s researchers discovered that ModStealer is capable of clipboard and screen capture, as well as remote code execution, giving attackers near-total control of infected devices. On macOS, it persists by abusing Apple’s launchctl tool to run as a LaunchAgent, silently exfiltrating data to a remote server that appears to be located in Finland but linked to infrastructure in Germany — likely designed to mask the operators’ real location.
The researchers added that ModStealer fits the growing Malware-as-a-Service “business model” increasingly popular among cybercriminal gangs, where ready-made infostealers are sold to affiliates with minimal technical skills.
“For security professionals, developers, and end users alike, this serves as a stark reminder that signature-based protections alone are not enough,” Mosyle said. “Continuous monitoring, behavior-based defenses, and awareness of emerging threats are essential to stay ahead of adversaries.”
Crypto malware attacks on the rise
On Monday, Ledger CTO Charles Guillemet warned crypto users to halt onchain transactions following a widespread Node Package Manager supply chain attack. The attackers used spoofed NPM support emails to steal developer credentials, allowing them to publish malicious packages designed to hijack crypto transactions across Ethereum, Solana, and other chains by secretly swapping destination addresses.
However, Guillemet later said the attack had “fortunately failed,” impacting “almost no victims,” with Arkham tracking data suggesting that just $1,000 in crypto was stolen before the compromise was detected and shut down. “The immediate danger may have passed, but the threat hasn’t,” Guillemet wrote on X, urging users to favor hardware wallets and clear signing protections.
By early Tuesday, multiple crypto teams, including Uniswap, MetaMask, OKX Wallet, Sui, Aave, Trezor, and Lido, reported they were not affected. Security collective SEAL Org called the outcome “lucky,” noting a compromised account with packages downloaded “billions” of times weekly could have yielded “untold riches” had the payload been stealthier.
Last week, a report by ReversingLabs also found that threat actors were using Ethereum smart contracts to conceal two NPM packages used to spread malicious instructions before the malware family was taken down.
© 2025 The Block. All Rights Reserved. This article is provided for informational purposes only. It is not offered or intended to be used as legal, tax, investment, financial, or other advice.
Trade Crypto On Coinhub Exchange
Trade Crypto On Coinhub Exchange
Stay ahead of the market by turning news insights into trading opportunities. With Coinhub Exchange, you can seamlessly buy, sell, and manage your digital assets, all in one secure platform. Take advantage of real-time market insights, deep liquidity, and fast execution for your favorite cryptocurrencies. Don’t just read about it — trade crypto now!
Disclaimer
The content of this article shown by Coinhub News, powered by The Block, is for informational purposes only and should not be construed as financial, legal, tax, or investment advice. Coinhub News and its affiliates are not a licensed financial advisor, legal advisor, broker, or tax advisor, and ... should not be considered as professional advice or a recommendation to engage in any specific investment, legal decision, or financial transaction. Cryptocurrency markets are highly speculative and volatile. Readers should perform their own independent research and consult with a qualified professional before making any financial or legal decisions. The opinions expressed in this article are those of the author and do not necessarily represent the views or opinions of the Company of its affiliates. Additionally, the Company does not make any representations or warranties regarding the accuracy, timeliness, reliability, or completeness of any information in this article. By accessing this content, you acknowledge that any reliance on the information contained in this article is solely at your own risk. The Company is not responsible for any financial losses, legal disputes, or other damages that may arise from reliance on this content or from any investment or legal decisions based on the information provided. Investing in cryptocurrencies involves substantial risks, including the risk of losing your entire investment, and you should carefully consider whether it is appropriate for your circumstances.
Read more
