GhostClaw AI Malware Targets macOS Users with Credential-Stealing Payloads
GhostClaw, a multi-stage macOS infostealer, now exploits both GitHub repositories and AI-assisted development workflows to steal credentials and deploy secondary payloads, significantly broadening its attack surface against users.
Jamf Threat Labs has expanded this research, uncovering at least eight additional malicious samples hosted within GitHub repositories designed to impersonate trading bots, SDKs, and developer tools.
These repositories prioritize initial trust by shipping benign or partially functional code and accumulating stars before attackers stealthily introduce the malicious components.
Jamf’s analysis reveals GhostClaw payloads are distributed via both traditional user-driven commands (copy-pasted from README files) and automated AI agent workflows, which install malicious “skills” directly sourced from GitHub.

In early March, JFrog Security Research documented GhostClaw/GhostLoader as a malicious npm-based campaign targeting macOS users via a fake OpenClaw installer.
This shift transforms standard GitHub and AI coding habits into an effective malware delivery pipeline for macOS infostealing.
GhostClaw AI Malware
Beyond developer-focused lures, GhostClaw operators maintain repositories containing SKILL.md manifests for AI-assisted frameworks like OpenClaw. Autonomous agents discover and install external “skills” from GitHub based on these manifests.

Hidden within these harmless-looking metadata files (specifying commands, dependencies, and entry points) reside malicious logic within the install scripts and JavaScript loaders.
Both developers and AI agents trigger the same malicious execution chain by following documented setup steps (e.g., running install.sh), without requiring explicit scrutiny of the underlying code. This enables GhostClaw to operate in automated environments where agents are implicitly trusted to execute shell commands, blurring the line between legitimate automation and covert compromise.

Infection begins when the install.sh script is executed (either manually or by an AI agent). This script profiles the macOS host, installs Node.js to user-controlled paths, and downloads components using curl with the insecure -k flag (bypassing TLS validation). It then launches obfuscated JavaScript via setup.js, with behavior controlled by the GHOST_PASSWORD_ONLY environment variable to choose between a full “branded” installer or a minimal credential-stealing path.
setup.js clears the terminal, mimics legitimate SDK installation, and prompts for a password via a fake terminal prompt or AppleScript dialogs resembling macOS security alerts.

Captured credentials are validated using `dscl. -authonly` and, where possible, paired with guidance to enable Full Disk Access, granting the malware visibility into browser data, application stores, and other sensitive artifacts.
Upon obtaining a valid password, GhostClaw contacts trackpipe[.]dev with a unique repository identifier, retrieves an encrypted secondary payload, decrypts it locally to `/tmp/sys-opt-{random}.js`, and executes it as a detached GhostLoader process persisting under paths mimicking npm telemetry, such as `~/.cache/.npm_telemetry/monitor.js`.
Anti-forensics and shared infrastructure
A final stage, postinstall.js, focuses on obfuscation and confusion by clearing the terminal, attempting a global npm install of the long-standing antigravity package, and surfacing either benign success messages or isolated npm errors referencing a non-existent `@install` tag.

This behavior hides the earlier malicious chain behind routine dependency management noise.
Jamf links multiple GitHub repositories and samples to a single C2 domain, trackpipe[.]dev, using distinct UUID-style paths and optional NODE_CHANNEL values (e.g., “anglmf” and “cryptoexth4”) to segment activity across different lures.
GhostClaw fits a broader software supply chain trend seen in campaigns like GlassWorm and PolinRider, which weaponize developer ecosystems and open-source repositories to distribute infostealers and token grabbers at scale.
For defenders, key mitigations include treating copy-pasted install commands and AI-suggested shell steps as untrusted input, validating repository history and maintainers, and enforcing endpoint controls such as blocking unknown scripts, monitoring `curl -k` usage, and setting advanced threat prevention to block and report similar behaviors in enterprise macOS fleets.