Beware: ‘ModStealer’ Malware Targets Your Online Crypto Assets

ModStealer Malware Steals Crypto Wallets, Evades Antivirus Detection

A new malware strain called ModStealer is targeting browser-based cryptocurrency wallets while slipping past all major antivirus engines, according to Apple security firm Mosyle.

Active for nearly a month, the malware is being distributed via malicious recruiter ads aimed at developers. It uses a heavily obfuscated NodeJS script, which scrambles the code and adds layers of tricks to bypass signature-based antivirus tools. This allows ModStealer to execute undetected on infected systems.

Unlike most Mac-focused malware, ModStealer is cross-platform, affecting Windows and Linux devices. Its primary goal is data theft, with built-in instructions to attack 56 browser wallet extensions to extract private keys, credentials, and certificates. The malware also includes clipboard hijacking, screen capture, and remote code execution, giving attackers near-total control of compromised devices. On macOS, it persists via Apple’s LaunchAgent.

Mosyle notes that ModStealer aligns with the Malware-as-a-Service model, in which developers sell ready-made malware to affiliates with limited technical skills. This trend has driven a surge in infostealers, with Jamf reporting a 28% increase in 2025 alone.

The discovery follows recent npm attacks, where malicious packages such as colortoolsv2 and mimelib2 used Ethereum smart contracts to hide secondary malware. ModStealer expands on these tactics, showing that cybercriminals are escalating attacks across developer ecosystems to directly compromise cryptocurrency wallets.