A new strain of malware purpose-built to steal crypto wallet data is slipping past every major antivirus engine, according to Apple device security firm Mosyle.
Dubbed ModStealer, the infostealer has been live for nearly a month without detection by virus scanners. Mosyle researchers say the malware is being distributed through malicious recruiter ads targeting developers and uses a heavily obfuscated NodeJS script to bypass signature-based defenses.
That means the malware’s code has been scrambled and layered with tricks that make it unreadable to signature-based antivirus tools. Since these defenses rely on spotting recognizable code “patterns,” the obfuscation hides them, allowing the script to execute without detection.
In practice, this lets attackers slip malicious instructions into a system while bypassing traditional security scans that would usually catch simpler, unaltered code.
Unlike most Mac-focused malware, ModStealer is cross-platform, hitting Windows and Linux environments as well. Its primary mission is that of data exfiltration, and the code is presumed to include pre-loaded instructions to target 56 browser wallet extensions designed to extract private keys, credentials, and certificates.
The malware also supports clipboard hijacking, screen capture, and remote code execution, giving attackers the ability to seize near-total control of infected devices. On macOS, persistence is achieved via Apple’s launching tool, embedding itself as a LaunchAgent.
Mosyle states that the build aligns with the profile of “Malware-as-a-Service,” where developers sell ready-made tools to affiliates with limited technical expertise. The model has driven a surge in infostealers this year, with Jamf reporting a 28% rise in 2025 alone.
The discovery comes on the heels of recent npm-focused attacks where malicious packages like colortoolsv2 and mimelib2 used Ethereum smart contracts to conceal second-stage malware. In both cases, attackers leveraged obfuscation and trusted developer infrastructure to bypass detection.
ModStealer extends this pattern beyond package repositories, showing how cybercriminals are escalating their techniques across ecosystems to compromise developer environments and directly target crypto wallets.
