A sophisticated malware campaign dubbed GhostClaw is actively targeting macOS users, leveraging social engineering tactics within fake GitHub repositories and AI-assisted development workflows. The primary goal of this campaign is to steal user credentials, enabling attackers to deploy secondary malicious payloads on compromised systems. GhostClaw’s emergence in early March 2026, initially identified by JFrog Security Research as GhostClaw/GhostLoader, marked a significant development in macOS threats.
Initially distributed through malicious npm packages, the malware’s reach quickly expanded beyond developer registries into GitHub-hosted repositories. These repositories impersonated legitimate developer tools such as trading bots and software development kits, aiming to ensnare developers who routinely rely on public package sources. Jamf Threat Labs researchers later identified eight associated malware samples, confirming the campaign’s significant expansion and the discovery of previously unknown infection vectors.
GhostClaw: A Multi-Stage Threat to macOS Users Posing as Developer Tools
One notable repository associated with the GhostClaw campaign, “TradingView-Claw,” had garnered 386 GitHub stars, lending it an artificial sense of credibility among potential victims. This elevated trust facilitated the malware’s widespread distribution among unsuspecting developers and users.
The danger of GhostClaw lies in its dual infection methodology. In one attack path, repositories feature README files with detailed installation instructions. These instructions subtly prompt users to execute a shell command using `curl`, initiating the malware’s execution. This method relies on social engineering to trick users into running malicious code.
Alternatively, GhostClaw targets AI coding agents directly. It achieves this by embedding malicious code within `SKILL.md` files, which define metadata and execution commands for these AI tools. As a result, automated development processes can unknowingly trigger the infection chain, meaning a system can be compromised without any direct user interaction.
The impact of this campaign extends beyond individual developers. By infiltrating trusted ecosystems like GitHub and incorporating AI-assisted tooling, attackers can reach a vast number of systems through a single, seemingly innocuous delivery mechanism. Jamf Threat Labs has also noted connections between GhostClaw and earlier campaigns, including Glassworm and PolinRider. These related attacks employed similar software supply chain techniques, highlighting a growing trend in how attackers are scaling their malware distribution efforts.
Multi-Stage Infection and Credential Theft by GhostClaw
Regardless of the initial infection vector, GhostClaw employs a consistent multi-stage execution chain designed to harvest user credentials and establish persistence on the victim’s machine. The process commences with `install.sh`, a bootstrapper script that masquerades as a routine setup tool. This script discreetly verifies the host macOS version and architecture before silently installing a compatible version of Node.js within a user-controlled directory, circumventing the need for elevated privileges.
A particularly concerning aspect of the `install.sh` script is its use of `curl` with the `–insecure` flag. This bypasses TLS certificate verification, a behavior highly unusual for legitimate installers and a strong indicator of malicious intent. Following the bootstrapper, execution transfers to `setup.js`, a heavily obfuscated JavaScript file tasked with credential collection.
To evade detection and suspicion, the `setup.js` script clears the terminal and displays fabricated progress indicators that mimic a genuine SDK installation process. Subsequently, a credential prompt appears. The entered password is then validated using the native macOS binary `dscl` with the `-authonly` option. This technique allows the malware to confirm stolen credentials without triggering standard system authentication dialogs, making it harder for users to notice the compromise.
Should Full Disk Access not be pre-enabled, the malware presents AppleScript dialogs that closely resemble authentic macOS security prompts. These prompts guide the user through the process of granting the necessary permissions in System Settings, further masking the malicious activity. Once credentials have been collected and necessary access is secured, `setup.js` establishes communication with a command-and-control server located at `trackpipe[.]dev`. From this server, it retrieves an encrypted secondary payload, which is then written to a temporary file at `/tmp/sys-opt-{random}.js`. The temporary file is subsequently deleted, and the malware establishes its persistence by relocating itself to `~/.cache/.npm_telemetry/monitor.js`, a file path strategically chosen to blend in with normal npm activity.
Users and developers are strongly advised to exercise extreme caution when executing installation commands sourced from GitHub repositories or online guides, even if the sources appear reputable. Verifying the origin and behavior of any code prior to execution remains one of the most effective defensive measures against such threats. Security teams managing macOS environments should monitor for unexpected `dscl` usage related to credential validation and be vigilant for processes attempting to gain Full Disk Access or writing obfuscated files to temporary directories.
The ongoing evolution of GhostClaw and similar campaigns underscores the increasing sophistication of malware targeting macOS. Future developments are likely to focus on further evasion techniques and potentially broader exploitation of AI tools. Continuous monitoring and prompt patching of vulnerabilities will be crucial for defending against these evolving threats.