A multi-wave software supply chain campaign, tracked by ReversingLabs and JFrog, is distributing malicious npm packages that install GhostLoader, a macOS remote access trojan, on developer machines. Attackers steal sudo credentials, browser-stored passwords, and cryptocurrency wallet data, then exfiltrate via Telegram bots while managing affiliates through Binance Smart Chain smart contracts. Organizations with macOS developers are at risk if they have installed npm packages from the malicious publisher account ‘mikilanjillo’ or trojanized GitHub repositories associated with this campaign, or if they use OpenClaw AI agent tooling known to be targeted by this campaign.