Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple software supply chain-style malware distribution efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, @openclaw-ai/openclawai, masquerading as an OpenClaw CLI installer; once executed, it uses a postinstall hook to reinstall globally and drop an obfuscated first-stage (setup.js) that deploys a multi-stage payload internally identified as GhostLoader (campaign tracked as GhostClaw). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for AWS/GCP/Azure), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material.
Separately, Trend Micro reported a large-scale distribution operation for the BoryptGrab information stealer via 100+ public GitHub repositories that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (TunnesshClient) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Zscaler finds trojanized Claude Code leak repos on GitHub
Zscaler ThreatLabz identified GitHub repositories masquerading as leaked or rebuilt source code for Anthropic's Claude Code CLI that actually delivered a Rust-based dropper installing Vidar and GhostSocks. At least two malicious repositories remained available at the time of reporting, including one with hundreds of forks and stars, showing attackers rapidly pivoting to a new AI-themed lure.
Netskope exposes 300-package GitHub malware campaign using OpenClaw lure
Netskope Threat Labs identified a large GitHub malware operation, tracked as "TroyDen's Lure Factory," that used more than 300 trojanized packages impersonating OpenClaw and other lures to target developers, gamers, and general users. The campaign deployed a LuaJIT-based Trojan with anti-analysis delays, screenshot capture, credential theft, geolocation, and data exfiltration to a command-and-control server in Frankfurt.
ReversingLabs identifies seven-package Ghost npm campaign
ReversingLabs uncovered a malicious npm supply-chain campaign, tracked as Ghost, involving seven packages published by the user "mikilanjillo" that targeted macOS users. The packages used deceptive install flows and staged payload delivery via Telegram to steal sudo passwords, cryptocurrency wallets, and other sensitive data before deploying a stealer or remote access trojan.
Jamf links GhostClaw expansion to GitHub and AI workflows
Jamf Threat Labs reported that the GhostClaw campaign had expanded beyond npm to GitHub repositories and AI-assisted development workflows, using fake developer projects and staged benign content to trick users or coding agents into running installer commands. Jamf tied the repositories and samples to the same operation through shared infrastructure, campaign UUIDs, and NODE_CHANNEL values.
Malicious OpenClaw package removed from npm
The fake OpenClaw npm package used in the GhostClaw/GhostLoader campaign was removed from npm as a security measure after researchers identified it as malicious. This disrupted the package-based delivery vector documented by multiple reports.
Trend Micro reports GitHub-based BoryptGrab malware operation
Trend Micro reported a large-scale malware distribution campaign using more than 100 public GitHub repositories to spread the BoryptGrab information stealer through fake tools, cheats, and SEO-stuffed lures. The infection chains delivered BoryptGrab along with additional payloads including Vidar variants, HeaconLoad, and TunnesshClient, with artifacts suggesting possible Russian-origin operators.
JFrog publicly discloses GhostClaw/GhostLoader campaign
JFrog published research detailing the GhostClaw/GhostLoader operation, including its fake macOS Keychain prompt, broad credential and wallet theft, persistence mechanisms, and command-and-control features such as proxying and remote command execution. The report also provided remediation guidance including removing persistence, rotating credentials, and re-imaging affected systems if necessary.
JFrog discovers malicious OpenClaw npm package
JFrog Security discovered a live malicious npm package, @openclaw-ai/openclawai, on npm that impersonated an OpenClaw installer while deploying the GhostLoader/GhostClaw malware framework. The package used a postinstall hook, fake installer flow, and encrypted second-stage payload delivery from trackpipe.dev to steal credentials and establish persistence.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
12 references tracked. Mallory keeps watching after this page renders.
Fake Claude Code source downloads actually delivered malware • The Register
go.theregister.com
Open sourceNew Ghost Campaign Uses Fake npm Progress Bars to Phish Sudo Passwords
hackread.com
Open sourceGhostClaw AI Assisted Malware Attacking macOS Users to Deploy Credential-Stealing Payloads
cybersecuritynews.com
Open sourceFake npm Install Messages Hide RAT Malware in New Open Source Supply Chain Campaign
cybersecuritynews.com
Open sourceGhostLoader Malware Spreads Through Fake OpenClaw npm Package
socradar.io
Open sourceGhostClaw Mimic as OpenClaw to Steal Everything from Developers
cybersecuritynews.com
Open sourceMassive GitHub malware operation spreads BoryptGrab stealer
securityaffairs.com
Open sourceGhostClaw Unmasked: A Malicious npm Package Impersonating OpenClaw to Steal Everything - JFrog Security Research
research.jfrog.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Developer-Focused Supply Chain Malware via Malicious Open-Source Packages
Security researchers reported multiple **software supply chain** campaigns targeting developers through malicious packages in public repositories, aiming to steal credentials/secrets and establish persistent access that can later impact production environments. Socket disclosed a campaign dubbed **StegaBin** involving **26 malicious npm packages** published over a two-day window that used a Pastebin “dead-drop” with **character-level steganography** to conceal C2 details, then resolved additional infrastructure across **31 Vercel deployments** to deliver platform-specific shell payloads that install a RAT and a **nine-module infostealer** targeting VSCode data, SSH keys, git repositories, browser credential stores, clipboard contents, and other local secrets. Socket assessed the tradecraft as consistent with activity previously attributed to **North Korea-aligned FAMOUS CHOLLIMA (Lazarus-linked)** and noted rapid detection of the packages shortly after publication. Separately, reporting highlighted **four malicious NuGet packages**—`NCryptYo`, `DOMOAuth2_`, `IRAOAuth2.0`, and `SimpleWriter_`—that targeted **ASP.NET** developers by exfiltrating **ASP.NET Identity** data (users/roles/permissions) and enabling backdoors; the packages were published in August 2024, accumulated **4,500+ downloads**, and were later removed. In that campaign, `NCryptYo` functioned as a dropper and proxy to an attacker-controlled C2, while `DOMOAuth2_` and `IRAOAuth2.0` handled data theft and backdoor rule delivery, and `SimpleWriter_` enabled file writing and hidden process execution while masquerading as a PDF utility. Other items in the set described unrelated C2 tooling trends (a Polygon blockchain-based botnet loader and the Vshell C2 framework) and do not describe the same package-repository supply chain incidents.
Jun 12, 2026
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
Apr 1, 2026
Self-Propagating npm Malware Campaigns Spread via IronWorm and Shai-Hulud Packages
Security researchers reported multiple self-propagating npm supply-chain malware campaigns that used compromised maintainer accounts and poisoned package updates to infect developer and CI/CD environments. JFrog said **IronWorm** was distributed through 36–37 malicious npm packages republished from the compromised `asteroiddao` account, where `preinstall` hooks launched a Rust ELF payload on Linux. The malware stole credentials and secrets tied to AWS, npm, SSH, Vault, OpenAI, Anthropic, Kubernetes, and Exodus wallets, hid with an **eBPF rootkit**, and used **Tor** for command-and-control. Investigators also linked the activity to poisoned GitHub repositories across nine organizations, including backdated malicious commits attributed to spoofed automation identities such as `claude`, `dependabot[bot]`, `renovate[bot]`, and `github-actions[bot]`. A separate but related wave, tracked by Sonatype as **Shai-Hulud "Miasma"**, pushed 281 malicious npm package versions and used `binding.gyp` with `node-gyp` to execute during installation, bypassing defenses that only inspect lifecycle scripts. Like IronWorm, the malware harvested developer and CI/CD secrets, validated stolen access, and republished trojanized versions of legitimate packages to continue spreading through repositories, build systems, and registries. Researchers said active exploitation was observed in the wild and warned that public impact may understate the full scope, particularly where private projects and CI runners were exposed through trusted publishing flows and compromised maintainer credentials.
Jun 18, 2026