GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer

The GhostClaw malware campaign has expanded its distribution methods beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers impersonate legitimate tools and utilize multi-stage payloads to steal credentials and retrieve additional malicious code. The infection chain involves executing shell commands, presenting fake authentication prompts, and establishing persistence. The campaign leverages both manual installation through README instructions and automated AI-assisted workflows. Multiple GitHub repositories have been identified, all communicating with a common command-and-control infrastructure. This shift in tactics allows the attackers to target a broader range of victims, including developers and users of AI-assisted coding tools.

Pulse ID: 69c10792a24c3b8eec93ad9c
Pulse Link: https://otx.alienvault.com/pulse/69c10792a24c3b8eec93ad9c
Pulse Author: AlienVault
Created: 2026-03-23 09:27:46

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #GitHub #ICS #InfoSec #InfoStealer #Mac #MacOS #Malware #NPM #OTX #OpenThreatExchange #bot #developers #AlienVault