GhostClaw is a macOS infostealer malware campaign that has recently expanded its distribution vectors beyond npm packages to include GitHub repositories and AI-assisted development workflows. The attackers behind GhostClaw impersonate legitimate developer tools and repositories to trick victims into executing multi-stage payloads. The infection chain typically involves executing shell commands to download and run malicious components, presenting fake authentication dialogs to harvest credentials, and establishing persistence mechanisms to maintain long-term access. The campaign leverages both manual installation via README instructions and automated AI-assisted workflows, increasing the likelihood of infection among developers and users of AI coding tools. Multiple GitHub repositories have been identified as distribution points, all linking back to a common command-and-control (C2) infrastructure, enabling remote control and additional payload delivery. The malware employs obfuscation and evasion techniques such as masquerading as legitimate software, multi-stage payloads, and persistence via system modifications. While no CVEs or known exploits have been reported, the campaign represents a sophisticated supply chain attack targeting macOS environments. The use of AI-assisted workflows as a distribution vector is a novel tactic that broadens the attack surface and complicates detection. Indicators of compromise include specific file hashes and the domain trackpipe.dev used for C2 communications. The campaign’s tactics align with MITRE ATT&CK techniques such as T1204.002 (User Execution), T1036 (Masquerading), T1064 (Scripting), T1528 (Steal Credentials), T1547.001 (Persistence via Launch Agents), T1056.002 (Credential API Hooking), T1059.004 (Command and Scripting Interpreter: AppleScript), T1027 (Obfuscated Files or Information), T1102.002 (Web Service), and T1105 (Ingress Tool Transfer).

This threat poses significant risks to organizations and individual developers using macOS systems, especially those involved in software development and AI-assisted coding workflows. Credential theft can lead to unauthorized access to sensitive systems, source code repositories, and internal networks, potentially resulting in intellectual property theft, data breaches, and further malware deployment. The use of GitHub repositories and AI workflows as infection vectors increases the likelihood of supply chain compromise, affecting a wide range of victims including enterprises relying on open-source tools and AI-assisted development environments. Persistence mechanisms enable long-term access, increasing the risk of espionage and data exfiltration. The campaign’s ability to impersonate legitimate tools and use social engineering tactics complicates detection and response efforts. Although no known exploits are reported in the wild yet, the evolving tactics suggest a growing threat that could impact software supply chains and developer ecosystems globally. Organizations may face reputational damage, operational disruption, and financial losses if infected systems are used as launch points for broader attacks.

Organizations should implement strict code and dependency vetting processes, especially for software sourced from GitHub and AI-assisted development tools. Employ endpoint detection and response (EDR) solutions capable of monitoring for suspicious shell command executions, fake authentication prompts, and persistence mechanisms typical of macOS malware. Enforce the principle of least privilege to limit the impact of credential theft and restrict the ability to execute unauthorized scripts or install software. Regularly audit and monitor GitHub repositories and AI workflow configurations for unauthorized or suspicious changes. Use multi-factor authentication (MFA) to reduce the risk of credential misuse. Educate developers and users about the risks of following unverified installation instructions and the dangers of executing unknown scripts. Implement network segmentation and monitor outbound traffic for connections to known malicious domains such as trackpipe.dev. Employ threat intelligence feeds to update detection rules with identified file hashes and indicators of compromise. Finally, maintain up-to-date backups and incident response plans tailored to macOS environments to enable rapid recovery in case of infection.