A newly-discovered malware called ModStealer is targeting crypto users across macOS, Windows and Linux systems, posing risks to wallets and access credentials.
Apple-focused security firm Mosyle uncovered the malware, saying it remained completely undetected by major antivirus engines for almost a month after being uploaded to VirusTotal, an online platform that analyzes files to detect malicious content, 9to5mac reported.
Mosyle said ModStealer is designed to extract data, with pre-loaded code that steals private keys, certificates, credential files and browser-based wallet extensions. The security researchers found targeting logic for different wallets, including extensions on Safari and Chromium-based browsers.
The security firm said the malware persists on macOS by abusing the system to register as a background agent. The team said the server is hosted in Finland but believes the infrastructure is routed through Germany to mask the operators’ origin.
Security firm warns of fake job ads
The malware is reportedly being distributed through fake job recruitment ads, a tactic that has been increasingly used to target Web3 developers and builders.
Once users install the malicious package, ModStealer embeds itself into the system and operates in the background. It captures data from the clipboard, takes screenshots and executes remote commands.
Stephen Ajayi, DApp and AI audit technical lead at blockchain security firm Hacken, told Cointelegraph that malicious recruitment campaigns using fraudulent “test tasks” as a malware delivery mechanism are becoming increasingly common. He warned developers to take extra precautions when asked to download files or complete assessments.
“Developers should validate the legitimacy of recruiters and associated domains,” Ajayi told Cointelegraph. “Request that assignments be shared via public repositories, and open any task exclusively in a disposable virtual machine with no wallets, SSH keys or password managers.”
Emphasizing the importance of compartmentalizing sensitive assets, Ajayi advised teams to maintain a strict separation between their development environments and wallet storage.
“A clear separation between the development environment ‘dev box’ and wallet environment ‘wallet box’ is essential,” he told Cointelegraph.
Related: Failed NPM exploit highlights looming threat to crypto security: Exec
Hacken security lead shares practical steps for users
Ajayi also stressed the importance of basic wallet hygiene and endpoint hardening to defend against threats like Modstealer.
“Use hardware wallets and always confirm transaction addresses on the device display, verifying at least the first and last six characters before approving,” he told Cointelegraph.
Ajayi advised users to maintain a dedicated, locked-down browser profile or a separate device exclusively for wallet activity, interacting with only the trusted wallet extensions.
For account protection, he recommended offline storage of seed phrases, multifactor authentication and the use of FIDO2 passkeys when possible.
Magazine: Thailand’s ‘Big Secret’ crypto hack, Chinese developer’s RWA tokens: Asia Express