GhostClaw

this script acts as a sophisticated dropper that uses terminal-based social engineering, such as spoofed sudo password prompts, to trick users into handing over credentials

Jamf Threat Labs exposes new GhostClaw/GhostLoader samples using malicious GitHub repos and AI dev workflows to steal macOS credentials via multi-stage payloads.

The malware was distributed through malicious npm packages, targeting developers who routinely install tools from public package registries. The campaign quickly spread beyond the npm ecosystem and into GitHub-hosted repositories that impersonated trading bots, software development kits, and other common developer utilities.

the repositories contain a README with step-by-step installation instructions that encourage users to execute a shell command, typically using curl to retrieve and run a remote script.

A new malware campaign called GhostClaw is actively targeting macOS users through fake GitHub repositories and AI-assisted development workflows. The campaign uses social engineering disguised as legitimate developer tools to steal user credentials and drop secondary payloads on infected systems.

In one path, repositories contain README files with step-by-step installation instructions that prompt users to run a shell command using curl.

In Windows, GhostLoader is delivered via a heavily obfuscated Node.js payload ( setup.js ) embedded in the project’s npm lifecycle scripts.

README files with step-by-step installation instructions... prompt users to run a shell command using curl... This means GhostClaw can infect a system without any direct human involvement.

Jamf Threat Labs exposes new GhostClaw/GhostLoader samples using malicious GitHub repos and AI dev workflows to steal macOS credentials via multi-stage payloads.

Jamf Threat Labs exposes new GhostClaw/GhostLoader samples using malicious GitHub repos and AI dev workflows to steal macOS credentials via multi-stage payloads.

Execution then passes to setup.js, a heavily obfuscated JavaScript file responsible for credential collection.

The process starts with install.sh, a bootstrapper script that presents itself as a routine setup tool... To avoid raising suspicion, the script clears the terminal and displays fake progress indicators that mimic a legitimate SDK installation.

Following execution, the temporary file is removed... Following execution of the primary payload, postinstall.js is invoked to extend the compromise and obscure earlier activity.

Jamf Threat Labs exposes new GhostClaw/GhostLoader samples using malicious GitHub repos and AI dev workflows to steal macOS credentials via multi-stage payloads.

In addition to the terminal prompt, the script can present native-looking dialogs using AppleScript: osascript -e 'set dialogResult to display dialog ...'

These dialogs are designed to resemble macOS security prompts and instruct the user to grant access or provide credentials. Variants observed during analysis impersonate different applications, including developer tools and trading platforms, while maintaining consistent messaging around access to 'secure wallet and credential storage.'

This is followed by a credential prompt presented directly in the terminal: Password: ... The supplied password is then validated using: dscl . -authonly {username} {password}

It checks the host macOS version and architecture, then silently installs a compatible version of Node.js in a user-controlled directory, avoiding any need for elevated privileges.

Once credentials are collected and access is secured, setup.js contacts the command-and-control server at trackpipe[.]dev to retrieve an encrypted secondary payload.

setup.js contacts the command-and-control server at trackpipe[.]dev to retrieve an encrypted secondary payload, which is written to a temporary file at /tmp/sys-opt-{random}.js.