This Invisible 'ModStealer' is Targeting Your Browser-Based Crypto Wallets

News Back to menu News Markets Finance Tech Policy Focus Prices Back to menu Prices Data Back to menu Data Trade Data Derivatives Order Book Data On-Chain Data API Research & Insights Data Catalogue AI & Machine Learning Indices Back to menu Indices Multi-Asset Indices Reference Rates Strategies and Services API Insights & Announcements Documentation & Governance Research Back to menu Research Events Back to menu Events CoinDesk: Policy & Regulation Consensus Hong Kong Consensus Miami Sponsored Back to menu Sponsored Thought Leadership Press Releases CoinW MEXC Phemex Advertise Stellar Videos Back to menu Videos CoinDesk Daily Shorts Editor's Picks Podcasts Back to menu Podcasts CoinDesk Podcast Network Markets Daily Gen C Unchained with Laura Shin The Mining Pod Newsletters Back to menu Newsletters CoinDesk Headlines Crypto Daybook Americas State of Crypto Crypto Long & Short Crypto for Advisors Webinars Back to menu Webinars English Select Language English en Português pt-br Русский ru Filipino fil Deutsch de Italiano it Українська uk Español es Nederlands nl Français fr 中文 zh 한국어 ko Search / News Prices Data Indices Research Events Sponsored Search / Sign In Sign Up BTC $ 115,313.05 1.06 % ETH $ 4,544.42 2.39 % XRP $ 3.0553 1.84 % USDT $ 1.0002 0.00 % SOL $ 238.53 6.86 % BNB $ 908.14 1.31 % USDC $ 0.9998 0.00 % DOGE $ 0.2612 4.71 % TRX $ 0.3490 1.18 % ADA $ 0.9037 1.85 % LINK $ 24.69 3.70 % HYPE $ 56.58 1.90 % USDE $ 1.0009 0.01 % SUI $ 3.6765 1.44 % XLM $ 0.3970 2.23 % AVAX $ 28.89 0.26 % BCH $ 596.33 0.40 % HBAR $ 0.2430 2.83 % WBT $ 43.60 1.02 % LTC $ 116.27 0.82 % BTC $ 115,313.05 1.06 % ETH $ 4,544.42 2.39 % XRP $ 3.0553 1.84 % USDT $ 1.0002 0.00 % SOL $ 238.53 6.86 % BNB $ 908.14 1.31 % USDC $ 0.9998 0.00 % DOGE $ 0.2612 4.71 % TRX $ 0.3490 1.18 % ADA $ 0.9037 1.85 % LINK $ 24.69 3.70 % HYPE $ 56.58 1.90 % USDE $ 1.0009 0.01 % SUI $ 3.6765 1.44 % XLM $ 0.3970 2.23 % AVAX $ 28.89 0.26 % BCH $ 596.33 0.40 % HBAR $ 0.2430 2.83 % WBT $ 43.60 1.02 % LTC $ 116.27 0.82 % Ad Markets Share Share this article Copy link X icon X (Twitter) LinkedIn Facebook Email This Invisible 'ModStealer' Is Targeting Your Browser-Based Crypto Wallets The code includes pre-loaded instructions to target 56 browser wallet extensions and is designed to extract private keys, credentials, and certificates. By Shaurya Malwa | Edited by Parikshit Mishra Updated Sep 12, 2025, 7:21 a.m. Published Sep 12, 2025, 6:44 a.m. Hacker sitting in a room (Clint Patterson/Unsplash/Modified by CoinDesk) What to know : A new malware strain called ModStealer is evading major antivirus engines and targeting crypto wallet data. ModStealer uses obfuscated NodeJS scripts to bypass signature-based defenses and is distributed through malicious recruiter ads. The malware affects Windows, Linux, and macOS, supporting data exfiltration, clipboard hijacking, and remote code execution. A new strain of malware purpose-built to steal crypto wallet data is slipping past every major antivirus engine, according to Apple device security firm Mosyle. Dubbed ModStealer, the infostealer has been live for nearly a month without detection by virus scanners. Mosyle researchers say the malware is being distributed through malicious recruiter ads targeting developers and uses a heavily obfuscated NodeJS script to bypass signature-based defenses. STORY CONTINUES BELOW Don't miss another story. Subscribe to the Crypto Daybook Americas Newsletter today . See all newsletters Sign me up By signing up, you will receive emails about CoinDesk products and you agree to our terms of use and privacy policy . That means the malware’s code has been scrambled and layered with tricks that make it unreadable to signature-based antivirus tools. Since these defenses rely on spotting recognizable code “patterns,” the obfuscation hides them, allowing the script to execute without detection. In practice, this lets attackers slip malicious instructions into a system while bypassing traditional security scans that would usually catch simpler, unaltered code. Unlike most Mac-focused malware, ModStealer is cross-platform, hitting Windows and Linux environments as well. Its primary mission is that of data exfiltration, and the code is presumed to include pre-loaded instructions to target 56 browser wallet extensions designed to extract private keys, credentials, and certificates. The malware also supports clipboard hijacking, screen capture, and remote code execution, giving attackers the ability to seize near-total control of infected devices. On macOS, persistence is achieved via Apple’s launching tool, embedding itself as a LaunchAgent. Mosyle states that the build aligns with the profile of “Malware-as-a-Service,” where developers sell ready-made tools to affiliates with limited technical expertise. The model has driven a surge in infostealers this year, with Jamf reporting a 28% rise in 2025 alone. The discovery comes on the heels of recent npm-focused attacks where malicious packages like colortoolsv2 and mimelib2 used Ethereum smart contracts to conceal second-stage malware. In both cases, attackers leveraged obfuscation and trusted developer infrastructure to bypass detection. ModStealer extends this pattern beyond package repositories, showing how cybercriminals are escalating their techniques across ecosystems to compromise developer environments and directly target crypto wallets. Hack crypto wallet More For You World Liberty Financial Token Holds Steady as Community Backs Buyback-and-Burn Plan By Sam Reynolds | Edited by Parikshit Mishra 36 minutes ago WLFI edges higher on the week as holders rally behind a deflationary strategy to counter post-launch weakness. What to know : World Liberty Financial's token, WLFI, remains stable after a community-approved plan to use liquidity fees for a buyback-and-burn mechanism. WLFI is trading near $0.20, with a market cap of $5.4 billion and daily trading volumes around $480 million. The proposal to burn tokens received overwhelming support, with 99.48% of votes in favor, aiming to create a deflationary model similar to Ethereum. Read full story Latest Crypto News World Liberty Financial Token Holds Steady as Community Backs Buyback-and-Burn Plan 36 minutes ago Crypto Pundits Retain Bullish Bitcoin Outlook as Fed Rate Cut Hopes Clash With Stagflation Fears 2 hours ago DOGE Rallies 6% Ahead of Anticipated ETF Launch 2 hours ago Christie’s Closes Digital Art Department as NFT Market Stays Frozen 2 hours ago XRP Forms Tight $3.00–$3.07 Range as Triangle Pattern Nears Resolution 3 hours ago Crypto Bull Market Still Has Room to Run, Coinbase Says 10 hours ago Top Stories Crypto Pundits Retain Bullish Bitcoin Outlook as Fed Rate Cut Hopes Clash With Stagflation Fears 2 hours ago Christie’s Closes Digital Art Department as NFT Market Stays Frozen 2 hours ago World Liberty Financial Token Holds Steady as Community Backs Buyback-and-Burn Plan 36 minutes ago Galaxy, Circle, Bitfarms Lead Crypto Stock Gains as Bitcoin Vehicles Metaplanet, Nakamoto Plunge 15 hours ago Strategy's S&P 500 Snub Is a Cautionary Signal for Corporate Bitcoin Treasuries: JPMorgan 19 hours ago Blockchain-Based Lender Figure Prices IPO at $25 Per Share, Raising Nearly $788M 23 hours ago About About Us Masthead Careers CoinDesk News Crypto API Documentation Blog Contact Contact Us Accessibility Advertise Sitemap System Status Disclosure & Polices CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies . CoinDesk has adopted a set of principles aimed at ensuring the integrity, editorial independence and freedom from bias of its publications. CoinDesk is part of Bullish (NYSE:BLSH), an institutionally focused global digital asset platform that provides market infrastructure and information services. Bullish owns and invests in digital asset businesses and digital assets and CoinDesk employees, including journalists, may receive Bullish equity-based compensation. Ethics Privacy Terms of Use Cookie Settings Do Not Sell My Info © 2025 CoinDesk, Inc. X icon