4 Minutes
New cross-platform stealer targets browser wallets and developer environments
A stealthy new malware strain called ModStealer has been uncovered by security researchers, capable of evading mainstream antivirus engines and siphoning data from browser-based crypto wallets on Windows, macOS and Linux. The discovery, disclosed by endpoint security firm Mosyle and reported by 9to5Mac, highlights a renewed supply-chain and social-engineering threat to cryptocurrency users and developers.
How ModStealer spreads
Mosyle’s analysis indicates the attack vector begins with fake job recruiter advertisements that specifically target developers. The lure is intentional: developers often have Node.js runtimes and related tooling installed, making them attractive targets for a payload that leverages JavaScript ecosystems. The ModStealer installer is obfuscated to defeat signature-based antivirus detection, and according to reports it went undetected by several major engines for almost a month after deployment.
What the malware does
Once executed, ModStealer performs a series of reconnaissance and exfiltration steps tailored to the crypto ecosystem. It scans systems for browser wallet extensions, looking for private keys, seed phrases, exchange API keys and other credentials. It also harvests system passwords and digital certificates before sending stolen data back to remote Command-and-Control (C2) servers. The malware’s multi-platform design and “zero-detection” execution chain make it a particularly dangerous threat for users who rely on software wallets or browser extensions for managing cryptocurrency.
On macOS devices, ModStealer attempts to establish persistence by registering as a background helper program that runs at every system startup. Infected machines may contain a covert file named ".sysupdater.dat" and show connections to suspicious remote servers — indicators that Mosyle flagged in its disclosure.
Broader implications for crypto security
Shān Zhang, CISO at blockchain security firm Slowmist, told Decrypt that ModStealer represents more than just individual theft: mass extraction of browser extension wallet data could enable large-scale on-chain exploits and erode trust in decentralized applications. Attackers with access to private keys or seed phrases can immediately drain wallets or orchestrate broader supply-chain attacks that compromise multiple users and services.
This warning comes alongside recent alerts from other security teams. Ledger CTO Charles Guillemet raised alarms after an NPM developer account was compromised in an attempt to push malicious packages that can silently replace wallet addresses during transactions. ReversingLabs also reported that some open-source packages were being used in campaigns where Ethereum smart contracts were leveraged to distribute malware — a sophisticated tactic that blurs the line between on-chain and off-chain attack vectors.
Who is at risk?
Anyone using browser-based wallets, JavaScript package managers or developer environments is at elevated risk. Software wallets and extension-based keys are particularly vulnerable because a single successful code execution or compromised package can expose sensitive secrets. Exchanges and custodial platforms are also exposed if API keys are harvested.
Mitigation and recommendations
Security teams and individual crypto users should take the following precautions:
- Audit installed browser extensions and remove unknown or unnecessary wallet add-ons.
- Avoid installing software from unsolicited recruiter links or unverified NPM packages.
- Maintain up-to-date endpoint protection and enable behavioral monitoring, not just signature-based antivirus.
- Store large holdings in hardware wallets or cold storage, and limit the use of seed phrases on connected devices.
- Monitor for indicators of compromise such as unexpected files (e.g., ".sysupdater.dat") or outbound connections to suspicious C2 domains.
Mosyle’s disclosure underscores ongoing risks in the crypto supply chain: attackers combine social engineering, obfuscated code, and cross-platform persistence to target developer tooling and browser wallets. Users and organizations should assume that any code execution in a software wallet environment can lead to direct asset loss, and adopt layered defenses to reduce attack surface and improve incident detection.
Comments