Apple Security Firm Warns of ‘ModStealer’ Malware Designed to Steal Crypto and Credentials
.png)
Apple device security firm Mosyle has discovered a new cross-platform malware called ModStealer, which has gone undetected for nearly a month. The malware is designed to steal cryptocurrency wallets, credentials, and certificates, spreading through fake recruiter ads targeting developers. It uses obfuscated JavaScript and pre-loaded scripts aimed at 56 browser wallet extensions, including Safari, to extract sensitive data. ModStealer can also perform clipboard hijacking, screen capture, and remote code execution, giving attackers near-total control. On macOS, it persists by abusing launchctl to run silently as a LaunchAgent, exfiltrating data to servers linked to Germany. Researchers say it reflects the rise of Malware-as-a-Service, sold to low-skilled cybercriminals. The discovery comes amid broader crypto malware risks. Earlier this week, a Node Package Manager (NPM) supply chain attack attempted to hijack crypto transactions on Ethereum, Solana, and other chains. Though the impact was minimal, just $1,000 stolen, experts warn the threat was severe, as compromised accounts could have pushed malicious packages with billions of weekly downloads. Security leaders, including Ledger CTO Charles Guillemet, urge users to rely on hardware wallets, behavior-based defenses, and continuous monitoring as malware targeting crypto continues to rise.