GhostLoader
GhostLoader is a cross-platform information stealer, also referred to in reporting as GhostClaw, that targets developer environments and trusted development workflows. It has been observed in March 2026 campaigns abusing the OpenClaw AI agent framework, malicious GitHub repositories, shell installers, and a malicious npm package impersonating an OpenClaw installer (@openclaw-ai/openclawai). In the OpenClaw/DeepSeek-Claw campaign, GhostLoader was delivered via obfuscated Node.js payloads embedded in npm lifecycle scripts and manual installation paths such as install.sh or npm install; on macOS and Linux it used terminal-based social engineering and fake password prompts to harvest credentials, while on Windows it could also be delivered through the manual path. Reporting also states the malware internally identifies itself as GhostLoader, while the broader campaign is tracked as GhostClaw.
Documented capabilities include theft of system credentials, browser credentials, cookies, credit cards and autofill data, macOS Keychain and iCloud Keychain databases, SSH keys, cryptocurrency wallet files and seed phrases, cloud and developer credentials and configuration files, API tokens, and other sensitive developer secrets. Multiple sources specifically mention theft of macOS Keychain data, SSH keys, cryptocurrency wallets, cloud API tokens, AWS/Azure/GCP/Kubernetes/Docker/GitHub-related credentials, and browser data. On macOS, if additional permissions are obtained, reporting states it can also access data such as Apple Notes, iMessage history, Safari history, and Mail-related data. Some reporting describes RAT-like functionality including persistence, arbitrary command execution, SOCKS5 proxying, and live browser session cloning via Chrome DevTools Protocol.
Observed behavior includes use of heavily obfuscated JavaScript stages, fake CLI installer interfaces with progress output, fraudulent Keychain-style or sudo-style prompts, validation of entered passwords against legitimate OS authentication mechanisms, retrieval of encrypted secondary payloads from attacker-controlled infrastructure, execution from temporary files, and cleanup of artifacts such as terminal clearing and deletion of temporary payload files. Persistence mechanisms directly mentioned in the content include installation under hidden .npm_telemetry paths, shell startup file modifications (~/.zshrc, ~/.bashrc, ~/.bash_profile), and Linux @reboot cron entries. Exfiltration was reported to attacker-controlled servers, including infrastructure associated with trackpipe.dev; some reporting also mentions Telegram Bot API and GoFile.io as exfiltration channels.
Associated infrastructure and indicators directly mentioned in the content include trackpipe.dev, cloudcraftshub.com/api, dropras.xyz, IP 146.19.24.131, and malicious GitHub repositories such as Needvainverter93/deepseek-claw and others tied to the campaign. The malware has been associated in reporting with malicious repositories impersonating developer tools, trading bots, SDKs, and AI skills, and with campaigns targeting developers and AI-driven workflows across macOS, Linux, and Windows.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Reconnaissance
1 technique
Reconnaissance
Initial Access
5 techniques
Initial Access
Jamf Threat Labs exposes new GhostClaw/GhostLoader samples using malicious GitHub repos and AI dev workflows to steal macOS credentials via multi-stage payloads.
Zscaler’s analysts noted that as AI agents become standard in development pipelines, supply chain poisoning through fake skills is a growing threat. Their analysis revealed that the threat actor published the deceptive skill on GitHub, knowing that AI agents and developers would likely pull it into automated workflows without a second thought.
"identified a live malicious npm package named @openclaw-ai/openclawai ... masquerades as a legitimate CLI tool"
the repositories contain a README with step-by-step installation instructions that encourage users to execute a shell command, typically using curl to retrieve and run a remote script.
A new malware campaign called GhostClaw is actively targeting macOS users through fake GitHub repositories and AI-assisted development workflows. The campaign uses social engineering disguised as legitimate developer tools to steal user credentials and drop secondary payloads on infected systems.
Execution
5 techniques
Execution
This retrieves and executes install.sh, which serves as the initial bootstrapper.
The alternate attack path, built for macOS and Linux environments, used a heavily obfuscated Node.js file buried inside npm lifecycle scripts. When the install command ran, it silently dropped GhostLoader onto the system.
Persistence
3 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
6 techniques
Stealth
For macOS and Linux systems, the campaign deploys an obfuscated Node.js payload that installs GhostLoader to steal sensitive developer data.
"The NUKE command performs complete self-destruction... removes shell hooks... cleans cron jobs... deletes ... install directory"
enabling it steal system credentials, deliver the GhostLoader malware by contacting a command-and-control (C2) server, and remove traces of malicious activity by clearing the Terminal.
Following execution, the temporary file is removed... Following execution of the primary payload, postinstall.js is invoked to extend the compromise and obscure earlier activity.
Credential Access
4 techniques
Credential Access
"displays a fake Keychain authorization prompt... victim is prompted for their system password (up to 5 attempts)"
Remcos set itself to stealth mode immediately upon execution, logging keystrokes, stealing browser cookies... With Remcos giving attackers a full remote shell and GhostLoader scooping up cloud tokens, SSH keys, and browser session cookies...
Discovery
4 techniques
Discovery
Collection
3 techniques
Collection
Command and Control
5 techniques
Command and Control
the next-stage downloader... reaches out to a Telegram channel to fetch the URL for the final payload... The initial npm package captures credentials and fetches configuration from either a Telegram channel or a Teletype.in page...
"HTTP upload to hxxps://trackpipe.dev" and "polls the C2 panel every ~25 seconds"
"installs a persistent RAT... including a SOCKS5 proxy" and "PROXY_START Start a SOCKS5 proxy"
Exfiltration
3 techniques
Exfiltration
Once active, GhostLoader swept through the host for anything valuable: macOS Keychain data, SSH keys, cryptocurrency wallet files, and cloud API tokens. All of it was sent back to attacker-controlled servers.
IOCs tracked for this family
32 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
An obfuscated Node.js-delivered payload used on macOS and Linux to steal sensitive developer data.
A cross-platform stealer delivered through obfuscated Node.js code in npm lifecycle scripts from the fake DeepSeek-Claw skill. It targets developer environments, steals macOS Keychain data, SSH keys, cryptocurrency wallet files, cloud API tokens, and browser/session-related data, and exfiltrates them to attacker-controlled servers. On macOS and Linux it also presents fake password prompts to harvest credentials.
Cross-platform information stealer targeting developer environments. In this campaign it is delivered through manual installation paths such as install.sh or npm install, including an obfuscated Node.js payload. It harvests credentials via terminal-based social engineering and exfiltrates macOS keychain data, SSH keys, cryptocurrency wallets, and cloud API tokens.
A multi-stage macOS-focused malware used in the Ghost/GhostClaw campaign. It is delivered via malicious npm packages and GitHub repositories, tricks users into entering sudo credentials, contacts Telegram/C2 infrastructure to fetch later-stage payloads, steals credentials and sensitive data including cryptocurrency wallets, and can function as a remote access trojan awaiting further instructions.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.