A new strain of malware, identified as ModStealer, has been evading detection from major antivirus engines for nearly a month, according to security experts at Mosyle, a firm specializing in device security for Apple products. This infostealer has emerged as a significant concern, particularly for users involved in cryptocurrency, as it is specifically designed to harvest crypto wallet data.
Researchers from Mosyle indicated that ModStealer is being disseminated through malicious recruitment ads aimed at developers. The malware employs a highly obfuscated NodeJS script, allowing it to navigate past signature-based defenses which are common in antivirus solutions. This obfuscation obscures the code’s recognizable patterns, making it difficult for traditional security software to detect its malicious intent.
The implications of this are concerning; the ability to bypass existing protective measures means that attackers can surreptitiously introduce harmful instructions into a system, evading the scrutiny of standard security protocols. This capability renders conventional defenses less effective against such sophisticated and cleverly crafted threats.
One of ModStealer’s distinctive features is its cross-platform functionality, targeting not only macOS but also Windows and Linux systems. Its primary objective revolves around data exfiltration. The malware is suspected to contain preconfigured instructions to specifically target 56 browser wallet extensions, which could potentially allow it to extract private keys, login credentials, and associated security certificates.
In addition to its wallet-stealing capabilities, ModStealer boasts features like clipboard hijacking, screen capturing, and remote code execution, granting attackers substantial control over the compromised devices. On macOS, the malware achieves persistence through Apple’s LaunchAgent, establishing a foothold that enables continued operation even after a system reboot.
The characteristics of ModStealer reflect a trend towards “Malware-as-a-Service,” a model in which developers provide off-the-shelf malicious tools for less technically savvy affiliates. This model has led to an alarming increase in infostealers, with reports highlighting a 28% rise in such threats in 2025 alone, as noted by Jamf.
The emergence of ModStealer coincides with a series of npm-focused attacks, where malicious packages have utilized Ethereum smart contracts to hide subsequent malware. In these prior cases, attackers effectively exploited obfuscation techniques and built their operations within trusted developer frameworks to circumvent detection.
Through its evolution, ModStealer illustrates how cybercriminals are progressively refining their tactics. By extending attacks beyond conventional package repositories to infiltrate broader developer ecosystems, they are increasingly targeting critical areas like crypto wallets, showcasing an escalation in cyber threat strategies. This development raises urgent alarms within the cybersecurity community and highlights the need for enhanced detection and prevention measures.
