Malware campaigns abuse developer ecosystems via malicious npm packages and GitHub repositories
Security researchers reported multiple software supply chain-style malware distribution efforts abusing developer-adjacent platforms. JFrog detailed a malicious npm package, @openclaw-ai/openclawai, masquerading as an OpenClaw CLI installer; once executed, it uses a postinstall hook to reinstall globally and drop an obfuscated first-stage (setup.js) that deploys a multi-stage payload internally identified as GhostLoader (campaign tracked as GhostClaw). The malware is designed to persist and exfiltrate a broad set of sensitive data from developer workstations, including credentials (e.g., cloud config artifacts for AWS/GCP/Azure), macOS Keychain data, browser sessions, SSH keys, and cryptocurrency wallet/seed material.
Separately, Trend Micro reported a large-scale distribution operation for the BoryptGrab information stealer via 100+ public GitHub repositories that pose as legitimate tools and game cheats. The campaign uses SEO manipulation (keyword-stuffed READMEs and lookalike download pages) to drive victims from search results into redirect chains that ultimately deliver ZIP archives containing the stealer; some variants also deploy a PyInstaller backdoor (TunnesshClient) that establishes a reverse SSH tunnel for attacker communications. Reported indicators (e.g., Russian-language comments and related infrastructure) suggest a possible Russian nexus, and the observed targeting focuses on harvesting browser data, crypto wallets, system information, and user files.
Timeline
Apr 2, 2026
Zscaler finds trojanized Claude Code leak repos on GitHub
Zscaler ThreatLabz identified GitHub repositories masquerading as leaked or rebuilt source code for Anthropic's Claude Code CLI that actually delivered a Rust-based dropper installing Vidar and GhostSocks. At least two malicious repositories remained available at the time of reporting, including one with hundreds of forks and stars, showing attackers rapidly pivoting to a new AI-themed lure.
Mar 24, 2026
Netskope exposes 300-package GitHub malware campaign using OpenClaw lure
Netskope Threat Labs identified a large GitHub malware operation, tracked as "TroyDen's Lure Factory," that used more than 300 trojanized packages impersonating OpenClaw and other lures to target developers, gamers, and general users. The campaign deployed a LuaJIT-based Trojan with anti-analysis delays, screenshot capture, credential theft, geolocation, and data exfiltration to a command-and-control server in Frankfurt.
Mar 24, 2026
ReversingLabs identifies seven-package Ghost npm campaign
ReversingLabs uncovered a malicious npm supply-chain campaign, tracked as Ghost, involving seven packages published by the user "mikilanjillo" that targeted macOS users. The packages used deceptive install flows and staged payload delivery via Telegram to steal sudo passwords, cryptocurrency wallets, and other sensitive data before deploying a stealer or remote access trojan.
Mar 20, 2026
Jamf links GhostClaw expansion to GitHub and AI workflows
Jamf Threat Labs reported that the GhostClaw campaign had expanded beyond npm to GitHub repositories and AI-assisted development workflows, using fake developer projects and staged benign content to trick users or coding agents into running installer commands. Jamf tied the repositories and samples to the same operation through shared infrastructure, campaign UUIDs, and NODE_CHANNEL values.
Mar 10, 2026
Malicious OpenClaw package removed from npm
The fake OpenClaw npm package used in the GhostClaw/GhostLoader campaign was removed from npm as a security measure after researchers identified it as malicious. This disrupted the package-based delivery vector documented by multiple reports.
Mar 8, 2026
Trend Micro reports GitHub-based BoryptGrab malware operation
Trend Micro reported a large-scale malware distribution campaign using more than 100 public GitHub repositories to spread the BoryptGrab information stealer through fake tools, cheats, and SEO-stuffed lures. The infection chains delivered BoryptGrab along with additional payloads including Vidar variants, HeaconLoad, and TunnesshClient, with artifacts suggesting possible Russian-origin operators.
Mar 8, 2026
JFrog publicly discloses GhostClaw/GhostLoader campaign
JFrog published research detailing the GhostClaw/GhostLoader operation, including its fake macOS Keychain prompt, broad credential and wallet theft, persistence mechanisms, and command-and-control features such as proxying and remote command execution. The report also provided remediation guidance including removing persistence, rotating credentials, and re-imaging affected systems if necessary.
Mar 8, 2026
JFrog discovers malicious OpenClaw npm package
JFrog Security discovered a live malicious npm package, @openclaw-ai/openclawai, on npm that impersonated an OpenClaw installer while deploying the GhostLoader/GhostClaw malware framework. The package used a postinstall hook, fake installer flow, and encrypted second-stage payload delivery from trackpipe.dev to steal credentials and establish persistence.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
5 more from sources like the hacker news, dark reading, jamf threat labs, socradar blog and cyber security news
Related Stories
Developer-Focused Supply Chain Malware via Malicious Open-Source Packages
Security researchers reported multiple **software supply chain** campaigns targeting developers through malicious packages in public repositories, aiming to steal credentials/secrets and establish persistent access that can later impact production environments. Socket disclosed a campaign dubbed **StegaBin** involving **26 malicious npm packages** published over a two-day window that used a Pastebin “dead-drop” with **character-level steganography** to conceal C2 details, then resolved additional infrastructure across **31 Vercel deployments** to deliver platform-specific shell payloads that install a RAT and a **nine-module infostealer** targeting VSCode data, SSH keys, git repositories, browser credential stores, clipboard contents, and other local secrets. Socket assessed the tradecraft as consistent with activity previously attributed to **North Korea-aligned FAMOUS CHOLLIMA (Lazarus-linked)** and noted rapid detection of the packages shortly after publication. Separately, reporting highlighted **four malicious NuGet packages**—`NCryptYo`, `DOMOAuth2_`, `IRAOAuth2.0`, and `SimpleWriter_`—that targeted **ASP.NET** developers by exfiltrating **ASP.NET Identity** data (users/roles/permissions) and enabling backdoors; the packages were published in August 2024, accumulated **4,500+ downloads**, and were later removed. In that campaign, `NCryptYo` functioned as a dropper and proxy to an attacker-controlled C2, while `DOMOAuth2_` and `IRAOAuth2.0` handled data theft and backdoor rule delivery, and `SimpleWriter_` enabled file writing and hidden process execution while masquerading as a PDF utility. Other items in the set described unrelated C2 tooling trends (a Polygon blockchain-based botnet loader and the Vshell C2 framework) and do not describe the same package-repository supply chain incidents.
2 days ago
Malvertising and Supply-Chain Lures Impersonate AI Developer Tools to Deliver Infostealers and RATs
Threat actors are abusing interest in AI developer tools by impersonating installers and setup guides to trick users into executing malware. Fake installation-guide pages for Anthropic’s **Claude Code** were promoted via **Google Ads** to rank highly for searches like “Claude Code install/CLI,” leading Windows and macOS users to run copy-pasted commands in an **InstallFix** campaign (a variant of **ClickFix**) that ultimately deployed **Amatera** (an **ACR Stealer**-based MaaS infostealer). Push Security reported the malware steals browser-stored credentials, cookies, session tokens, and system information, and the infrastructure used legitimate hosting/CDN services (e.g., *Squarespace*, *Cloudflare Pages*, *Tencent EdgeOne*) to reduce suspicion. In a related AI-tool impersonation theme, JFrog identified a malicious **npm** package, `@openclaw-ai/openclawai`, posing as an **OpenClaw** installer that targets macOS users to steal credentials and establish persistent remote access. The package uses a `postinstall` hook to reinstall itself globally and registers a CLI via the `bin` field pointing to `scripts/setup.js`, which presents a fake installer UI and then prompts for the user’s system password via a bogus Keychain/iCloud authorization flow. The malware (self-identified as **GhostLoader**) was reported to collect browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also deploying a **RAT** with **SOCKS5 proxy** capability and “live browser session cloning,” indicating a blend of credential theft and long-term access objectives.
1 months ago
GitHub Repository Hijacks Used to Distribute Malware to Developers
Researchers reported active **software supply chain attacks** in which legitimate GitHub accounts and repositories were compromised and then used to distribute malware to developers. In one case, the verified **dev-protocol** GitHub organization was hijacked and repurposed to host polished **Polymarket** trading-bot repositories that secretly pulled typosquatted npm dependencies. Running the project exfiltrated `.env` contents including wallet private keys to attacker-controlled infrastructure, performed host fingerprinting, and modified firewall settings to expose SSH access; victims were advised to rotate wallet and API secrets and inspect `~/.ssh/authorized_keys` for persistence. A separate but related GitHub-focused campaign, dubbed **ForceMemo**, involved takeover of developer accounts and force-pushes to hundreds of Python repositories so that malicious code was appended to files such as `setup.py`, `main.py`, and `app.py` while preserving original commit metadata. Anyone installing directly from those repos could trigger the payload, and the activity affected projects ranging from Django applications to ML and Streamlit code. A report on malicious npm packages posing as a Roblox *Solara* executor was excluded because it describes a different npm ecosystem campaign centered on **Cipher stealer**, not the GitHub account and repository hijacks used in the other incidents.
1 months ago