Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple software supply chain-style malware distribution efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, @openclaw-ai/openclawai, masquerading as an OpenClaw CLI installer; once executed, it uses a postinstall hook to reinstall globally and drop an obfuscated first-stage (setup.js) that deploys a multi-stage payload internally identified as GhostLoader (campaign tracked as GhostClaw). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for AWS/GCP/Azure), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material.
Separately, Trend Micro reported a large-scale distribution operation for the BoryptGrab information stealer via 100+ public GitHub repositories that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (TunnesshClient) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Related Entities
Organizations
Affected Products
Sources
Related Stories
Developer-Focused Supply Chain Malware via Malicious Open-Source Packages
Security researchers reported multiple **software supply chain** campaigns targeting developers through malicious packages in public repositories, aiming to steal credentials/secrets and establish persistent access that can later impact production environments. Socket disclosed a campaign dubbed **StegaBin** involving **26 malicious npm packages** published over a two-day window that used a Pastebin “dead-drop” with **character-level steganography** to conceal C2 details, then resolved additional infrastructure across **31 Vercel deployments** to deliver platform-specific shell payloads that install a RAT and a **nine-module infostealer** targeting VSCode data, SSH keys, git repositories, browser credential stores, clipboard contents, and other local secrets. Socket assessed the tradecraft as consistent with activity previously attributed to **North Korea-aligned FAMOUS CHOLLIMA (Lazarus-linked)** and noted rapid detection of the packages shortly after publication. Separately, reporting highlighted **four malicious NuGet packages**—`NCryptYo`, `DOMOAuth2_`, `IRAOAuth2.0`, and `SimpleWriter_`—that targeted **ASP.NET** developers by exfiltrating **ASP.NET Identity** data (users/roles/permissions) and enabling backdoors; the packages were published in August 2024, accumulated **4,500+ downloads**, and were later removed. In that campaign, `NCryptYo` functioned as a dropper and proxy to an attacker-controlled C2, while `DOMOAuth2_` and `IRAOAuth2.0` handled data theft and backdoor rule delivery, and `SimpleWriter_` enabled file writing and hidden process execution while masquerading as a PDF utility. Other items in the set described unrelated C2 tooling trends (a Polygon blockchain-based botnet loader and the Vshell C2 framework) and do not describe the same package-repository supply chain incidents.
1 weeks ago
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
1 weeks ago
GitHub Repository Hijacks Used to Distribute Malware to Developers
Researchers reported active **software supply chain attacks** in which legitimate GitHub accounts and repositories were compromised and then used to distribute malware to developers. In one case, the verified **dev-protocol** GitHub organization was hijacked and repurposed to host polished **Polymarket** trading-bot repositories that secretly pulled typosquatted npm dependencies. Running the project exfiltrated `.env` contents including wallet private keys to attacker-controlled infrastructure, performed host fingerprinting, and modified firewall settings to expose SSH access; victims were advised to rotate wallet and API secrets and inspect `~/.ssh/authorized_keys` for persistence. A separate but related GitHub-focused campaign, dubbed **ForceMemo**, involved takeover of developer accounts and force-pushes to hundreds of Python repositories so that malicious code was appended to files such as `setup.py`, `main.py`, and `app.py` while preserving original commit metadata. Anyone installing directly from those repos could trigger the payload, and the activity affected projects ranging from Django applications to ML and Streamlit code. A report on malicious npm packages posing as a Roblox *Solara* executor was excluded because it describes a different npm ecosystem campaign centered on **Cipher stealer**, not the GitHub account and repository hijacks used in the other incidents.
Yesterday