A newly discovered malware dubbed ModStealer is targeting cryptocurrency users across macOS, Windows, and Linux, according to security firm Mosyle. The malware went undetected by major antivirus tools for almost a month after being uploaded to VirusTotal, highlighting gaps in signature-based protection.
Mosyle said ModStealer is engineered to steal private keys, certificates, credential files, and browser wallet data. Pre-loaded code specifically targets 56 wallet extensions across Safari and Chromium browsers. On macOS, the malware persists by exploiting Apple’s launchctl tool, registering as a background LaunchAgent to quietly exfiltrate data to a remote server. The server infrastructure was traced to Finland but appeared routed through Germany to obscure its operators.
The malware is being distributed through fake job recruitment ads targeting developers, echoing a broader trend of social engineering campaigns against Web3 workers. Once installed, ModStealer embeds itself, captures clipboard data, takes screenshots, and executes remote commands — effectively granting attackers full control of compromised devices.
Stephen Ajayi of security firm Hacken told Cointelegraph that malicious “test tasks” are now a common delivery vector. He urged developers to validate recruiters, only accept assignments via public repositories, and open files exclusively in disposable virtual machines with no wallets or sensitive credentials present.
“A clear separation between the development environment ‘dev box’ and wallet environment ‘wallet box’ is essential,” Ajayi said, stressing compartmentalization as a defensive layer.
Ajayi emphasized hardware wallets as a primary safeguard, urging users to confirm transaction addresses directly on device displays before signing. He also recommended maintaining a dedicated browser profile or separate device for wallet activity, ensuring interaction only with trusted extensions.
Other protections include offline storage of seed phrases, enabling multifactor authentication, and adopting FIDO2 passkeys where available. Endpoint hardening and continuous monitoring, Mosyle added, are crucial as malware-as-a-service models proliferate.
ModStealer’s discovery follows a string of high-profile exploits. Just last week, Ledger CTO Charles Guillemet warned users to halt onchain transactions amid a Node Package Manager (NPM) supply chain attack. Although that incident was contained quickly — with only about $1,000 stolen — the scale of risk was enormous, as spoofed packages had billions of downloads.
Security researchers also flagged a ReversingLabs report showing threat actors embedding malicious instructions in Ethereum smart contracts linked to NPM packages. Together, these incidents highlight how attackers are increasingly targeting the developer supply chain as a gateway into crypto ecosystems.
With ModStealer now circulating undetected for weeks, experts warn that behavioral detection and zero-trust practices must replace reliance on outdated antivirus signatures. As malware evolves into a service-based industry, the crypto sector faces a heightened arms race in security.
