ModStealer Malware Steals Crypto Wallets Across Windows, Mac, Linux

A newly discovered cross-platform malware strain named ModStealer has been operating undetected for nearly a month, bypassing major antivirus software to steal data from cryptocurrency wallets across Windows, macOS, and Linux systems. Distributed via fake job recruiter ads targeting software developers, ModStealer uses a heavily obfuscated NodeJS script to evade signature-based detection and scans infected systems for browser wallet extensions, system credentials, and digital certificates. The malware supports clipboard hijacking, screen capture, and remote code execution, granting attackers near-total control, while on macOS it achieves persistence by embedding itself as a LaunchAgent using Apple’s launchctl tool. Security experts warn that ModStealer poses a significant threat to the digital asset ecosystem, as compromised private keys, seed phrases, and API keys can lead to immediate financial losses and facilitate large-scale on-chain exploits. The malware is believed to be part of a growing Malware-as-a-Service ecosystem, allowing affiliates with limited technical skills to deploy advanced attacks, contributing to a surge in infostealer threats in 2025. This discovery follows recent incidents involving malicious npm packages that highlight vulnerabilities in blockchain-related code libraries, underscoring the increasing sophistication of attacks targeting crypto users.