This Stealthy ‘ModStealer’ Is Attacking Your Web Crypto Wallets

ModStealer Malware Targets Crypto Wallets, Evades Antivirus Detection

A newly identified strain of malware, ModStealer, is bypassing all major antivirus engines while targeting browser-based cryptocurrency wallets, according to Apple security firm Mosyle.

Active for nearly a month, ModStealer is being distributed via malicious recruiter ads aimed at developers. The malware uses a heavily obfuscated NodeJS script, making it unreadable to traditional signature-based antivirus tools. By scrambling its code and layering deceptive instructions, the malware executes without triggering standard security defenses.

Unlike typical Mac malware, ModStealer is cross-platform, affecting Windows and Linux devices as well. Its primary function is to steal sensitive data, with pre-configured instructions to target 56 browser wallet extensions. The malware can extract private keys, credentials, and certificates, while also supporting clipboard hijacking, screen capture, and remote code execution, giving attackers near-total control. On macOS, it persists through Apple’s LaunchAgent system.

Mosyle classifies ModStealer as part of the “Malware-as-a-Service” trend, where developers sell ready-made malware tools to affiliates with limited technical skills. This model has contributed to a surge in infostealers, with Jamf reporting a 28% increase in 2025 alone.

The threat comes in the wake of npm-focused attacks, where malicious packages such as colortoolsv2 and mimelib2 exploited Ethereum smart contracts to conceal second-stage malware. ModStealer extends these techniques, showing how cybercriminals are escalating attacks across developer ecosystems to directly compromise crypto wallets.