惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Jina AI
Jina AI
V
Vulnerabilities – Threatpost
Security Latest
Security Latest
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
量子位
H
Help Net Security
Attack and Defense Labs
Attack and Defense Labs
The GitHub Blog
The GitHub Blog
L
LINUX DO - 最新话题
A
Arctic Wolf
博客园_首页
S
Securelist
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
T
Tailwind CSS Blog
Apple Machine Learning Research
Apple Machine Learning Research
酷 壳 – CoolShell
酷 壳 – CoolShell
Stack Overflow Blog
Stack Overflow Blog
N
Netflix TechBlog - Medium
Cyberwarzone
Cyberwarzone
小众软件
小众软件
T
Threatpost
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
Blog — PlanetScale
Blog — PlanetScale
N
News and Events Feed by Topic
NISL@THU
NISL@THU
Forbes - Security
Forbes - Security
博客园 - 聂微东
F
Fortinet All Blogs
Simon Willison's Weblog
Simon Willison's Weblog
H
Heimdal Security Blog
罗磊的独立博客
S
Security @ Cisco Blogs
B
Blog
T
Troy Hunt's Blog
Engineering at Meta
Engineering at Meta
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
The Hacker News
The Hacker News
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
I
Intezer
T
Threat Research - Cisco Blogs
C
Cybersecurity and Infrastructure Security Agency CISA
The Cloudflare Blog
S
Schneier on Security
月光博客
月光博客
L
LINUX DO - 热门话题
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org

Jamf Blog

Jamf Nation Live 2026 London and Berlin: AI Governance and DDM 5 Mac Security Gaps Hiding in Your Apple Fleet Classroom Management Tools and Student Learning Outcomes Mobile forensics, minutes not weeks Turn Security Signals into Action with Jamf and Amplifier Security Strengthen Jamf Zero Trust Network Access With Dedicated Internet Gateway Jamf AI Assistant Now Available: Smarter Apple Device Management and Security MacBook Neo: The New Enterprise Entry Point for Mac at Scale Boost Employee Productivity in the Enterprise with Jamf Platform Authentication and Declarative Device Management: The Future of Apple Management Automation for Small IT Teams: Save Time Managing Macs What a lower-cost MacBook Neo means for education Where Apple Meets the Enterprise: Jamf’s Interoperability Advantage for Secure, Automated Access Control Simplify access, secure your apps: why SSO matters for K-12 Inside Predator’s kernel engine RSA Conference 2026 recap: AI security, enterprise mobile security and the shift to connected security platforms ClickFix technique uses Script Editor instead of Terminal on macOS Why Mac configurations fall out of sync — and how to fix them G2 names Jamf in its 2026 Best Software Awards across three categories Empowering Mac users: How Jamf Self Service+ reduces tier one support overhead for enterprise IT teams Privacy by default, flexible when required: introducing limited privacy in Jamf Safe Internet From arrival to discharge: how iOS is reimagining the healthcare journey Federated Identity Management for K-12 Education Identity and access management in K-12 schools OpenClaw: the helpful AI that could quietly become your biggest insider threat Get Started with Scripting Series: macOS Terminal, Scripting and Jamf Pro API Managing Apple devices at Black Hat Europe with Jamf Scaling device deployments without scaling your IT team How Predator spyware defeats iOS recording indicators Making Mac work in a PC world The hidden costs of manual device provisioning Threat Actors Expand Abuse of Microsoft Visual Studio Code Mac management and security for lean IT teams Automated certificate management and device security integration The hidden risks in your mobile apps “Mac in 2026: Secure by Design Meets the Enterprise” webinar Jamf named a Unified Endpoint Management leader…again! Jamf recognized as a Leader in 2026 Gartner® Magic Quadrant™ for Endpoint Management Tools Predator’s kill switch: undocumented anti-analysis techniques in iOS spyware 2026: what to expect in tech Retail runs on iOS: Let’s take a tour through Jamf’s booth at NRF 2026 From ClickFix to code signed: the quiet shift of MacSync Stealer malware Jamf After Dark: How WorkBrew solves Homebrew security and compliance for Mac developers Managing emerging technologies: A playbook for modern IT leaders How schools can maximize learning using Apple devices and Jamf Practical intelligence: why it matters for enterprise teams Jamf Connect Q&A Jamf After Dark October recap: platform progress, identity shifts and security insights Powering managed virtualization and Windows app delivery in Mac-first enterprises FlexibleFerret malware continues to strike Managing Jamf configuration with Terraform and GitOps workflows Back to security basics: phishing Introducing the Jamf 140 Course HIMSS 2026 recap Introducing Beacon by Jamf Threat Labs Android and Jamf: manage and secure your mobile fleet Social engineering in K-12 for beginners Jamf Nation Live 2026: Hands-On Apple Expertise Across Six Cities Developer Mode-as-a-Defense: How iOS Security Features Deter Nation-State Spyware Stop chasing passwords: how school IT can reduce reset tickets Bring Your Own Key (BYOK): Take Control of Your Encryption in Jamf Cloud DarkSword iOS Exploit Kit: 3 Lessons for Mobile Security Threat Labs Jamf Training Celebrates 20 Years of Apple IT Education and Certification Balancing Safety and Learning: K-12 Content Filtering for IT Admins Why Mac security updates take too long and how to fix it Why the Jamf platform is the natural foundation for MSPs Jamf After Dark: mobile forensics Introducing the redesigned Mac threat prevention. Now available in beta.  Beyond access: rethinking the complete Apple deployment strategy for education Gain faster updates and real-time fleet visibility with DDM What the Canvas breach tells us about the state of education security Why K-12 students need web filtering that travels with their devices Jamf spotlighted in Okta Businesses at Work 2026 Report Jamf Nation Live 2026 recap MobiDash internals: ghost clicks and SSH tunnels in commercial adware Tech Partner Spotlight: Jamf + SmallStep MacBook Neo in K-12 Closing the gaps: How Jamf protects macOS and iOS with real-time threat prevention MSP engineering: The art of scoping in Jamf Pro at scale Mac in education is evolving. Jamf School makes it simple Why Apple devices deserve security built for them Seamless Learning Access: Simplicity that puts learning first Reducing IT firefighting: Fewer failed updates, less manual cleanup Apple WWDC26: Keynote recap How Jamf helps maximize your Microsoft investments MTE as a microscope WWDC26: Key takeaways for education institutions WWDC26: Key takeaways for Apple admins The JNUC 2026 session catalog is live — and the clock is ticking Jamf After Dark: Why we moved 1,900+ Apple devices back to Jamf AI governance for Mac: bringing AI under management AI Adoption Is High, Governance Is Lagging Klue Third-Party Cybersecurity Incident How Identity Automation, Claris, and Jamf Simplify Apple Workflows for Education What Is AI Governance? How Proactive Device Status Reporting Transforms Mac Fleet Visibility AI Governance on Mac: A Practical Guide for IT and Security Teams Restaurants Run on iOS: Jamf and IPORT at the NRA Show AI Governance on Mac: A Practical Guide for IT and Security Teams PamStealer: macOS Malware Posing as Clipboard Manager App
GhostClaw expands beyond npm: GitHub repositories and AI workflows deliver macOS infostealer
Jamf Threat Labs · 2026-04-11 · via Jamf Blog

Jamf Threat Labs details how the GhostClaw malware campaign uses GitHub repositories and AI-assisted development workflows to deliver credential-stealing payloads on macOS.

By Thijs Xhaflaire

Introduction

Early in March, JFrog Security Research documented a malware campaign titled GhostClaw/GhostLoader. Since the original documentation of this campaign, Jamf Threat Labs examined multiple GitHub repositories associated with this same activity, including at least eight newly identified samples.

While analyzing these repositories, we uncovered additional infrastructure and previously undocumented infection vectors, demonstrating that this campaign extends beyond the npm-based delivery mechanisms described in earlier research.

This shift in distribution broadens the infection pool beyond developers installing packages from npm to include any user or automated workflow willing to execute commands sourced from online instructions.

Initial access via malicious GitHub repositories

While prior reporting focused on malicious npm packages as the primary delivery mechanism, a parallel distribution method leveraging GitHub repositories was also taking place.

These repositories impersonate legitimate tools, including trading bots, SDKs and developer utilities, and are designed to appear credible at a glance. Several of the identified repositories have accumulated significant engagement, in some cases exceeding hundreds of stars, further reinforcing their perceived legitimacy.

In observed cases, repositories were initially populated with benign or partially functional code and remained unchanged for a period of time before malicious components were introduced. This staging likely contributes to building trust and increasing visibility prior to delivery of the malicious payload.

TradingView-Claw repository, showing 386 stars

Manual installation via README instructions

In the most straightforward cases, the repositories contain a README with step-by-step installation instructions that encourage users to execute a shell command, typically using curl to retrieve and run a remote script.

README file for the Antigravity Pack SDK

This technique relies heavily on user interaction and trust. By presenting the command as part of a standard installation workflow, the attacker bypasses traditional safeguards associated with package managers and instead executes code directly on the system.

Installation via AI-assisted workflows (OpenClaw)

In addition to these developer-focused lures is a second variant of repositories containing SKILL.md files. These repositories target Al-assisted development workflows, where coding agents automatically discover and install external "skills" from GitHub.

Scripts that install external "skills"

In these cases, the SKILL.md file itself appears benign and defines metadata such as commands, dependencies and an entry point for execution. The malicious behavior is not exposed within the manifest itself.

Instead, execution occurs during the installation phase. In order to use the skill, both developers and Al agents typically follow repository-provided setup steps, such as running install.sh or installing dependencies. These actions trigger the same execution chain observed in other variants.

This is notable because, rather than relying solely on user interaction, the attacker leverages standard installation workflows and the implicit trust placed in development tooling to execute code on behalf of the user. This is particularly relevant in AI-assisted development frameworks such as OpenClaw, where external "skills" are installed directly from repositories.

As a result, the same underlying malware can be delivered through both traditional user-driven workflows and automated agent-driven interactions.

Execution chain and multi-stage payload delivery

Regardless of the initial access method, execution across all observed variants follows a consistent multi-stage chain designed to establish execution, harvest credentials and retrieve additional payloads.

Bootstrap via install.sh

Execution begins when the user, or an automated agent, runs the provided installation command. This retrieves and executes install.sh, which serves as the initial bootstrapper.

At first glance, the script performs a series of legitimate setup tasks. It identifies the host architecture and macOS version, checks whether Node.js is already present and installs a compatible version if required. Notably, this installation occurs in a user-controlled directory, avoiding the need for elevated privileges and reducing suspicion during execution.

During this process, the script retrieves Node.js using curl with the -k (--insecure) flag:

This disables TLS certificate verification during download. While functional, this behavior is uncommon in legitimate installers and reduces transport security by allowing connections without certificate validation.

The script then invokes the next stage of the infection chain:

The GHOST_PASSWORD_ONLY environment variable controls execution behavior within setup.js. When set to 0, the script presents a full interactive installation flow, including progress indicators and user prompts.

Across analyzed variants, differences in this value were observed. In most repositories, the variable is set to 0, resulting in a branded installation experience with progress output prior to credential prompts. In at least one variant (e.g., a downloader-themed repository), the value is set to 1, which results in a simplified execution path focused on credential collection without additional user interface elements.

Finally, the script invokes:

This transitions execution from shell-based delivery into obfuscated JavaScript payloads.

Credential theft and payload retrieval (setup.js)

The setup.js javascript contains the core functionality of the malware and is heavily obfuscated to hinder analysis. Once executed, it performs a sequence of actions designed to deceive the user and collect credentials.

To reduce visibility, the script clears the terminal and displays fake progress indicators, mimicking a legitimate SDK installation process. This is followed by a credential prompt presented directly in the terminal:

Password:

Installation process indicators and password prompt in Terminal

Although this prompt appears consistent with system authentication behavior, it is generated by the script itself rather than a native macOS authentication prompt. The supplied password is then validated using:

dscl . -authonly {username} {password}

This leverages a legitimate macOS binary to validate credentials without invoking standard system authentication dialogs or frameworks. Similar techniques have been observed in credential-focused malware, including infostealers, to capture and verify user passwords.

In addition to the terminal prompt, the script can present native-looking dialogs using AppleScript:

These dialogs are designed to resemble macOS security prompts and instruct the user to grant access or provide credentials. Variants observed during analysis impersonate different applications, including developer tools and trading platforms, while maintaining consistent messaging around access to "secure wallet and credential storage."

If Full Disk Access (FDA) is not already granted, the script presents an additional AppleScript dialog that guides the user through enabling it. This dialog includes step-by-step instructions and a button that opens the relevant System Settings pane using the following command:

open x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles

This directs the user to the Privacy & Security -> Full Disk Access settings. If access is granted, the malware gains the ability to access data protected by FDA, including user application data and other sensitive system artifacts.

Once valid credentials are obtained, the script contacts a remote command-and-control (C2) server to retrieve an encrypted secondary payload. The payload is fetched from trackpipe[.]dev using a unique identifier embedded in the request path.

The response contains encrypted data, which is decrypted locally and written to disk in a temporary location using a randomized filename pattern:

/tmp/sys-opt-{random}.js

This payload aligns with GhostLoader, as documented by JFrog Security Research. It is executed as a detached process, allowing it to continue running independently of the initial script, with the captured credentials passed via environment variables. Following execution, the temporary file is removed, and the malware establishes persistence by relocating itself within user-controlled directories, including paths such as:

~/.cache/.npm_telemetry/monitor.js

The temporary file removal is handled by the initial stage, while persistence is established by the secondary payload. This location mimics legitimate npm-related activity, reducing the likelihood of user suspicion.

Secondary installation and anti-forensics (postinstall.js)

Following execution of the primary payload, postinstall.js is invoked to extend the compromise and obscure earlier activity. Observed behavior varies slightly across repositories, but maintains the same overall intent.

In several variants, the script begins by clearing the terminal, removing visible evidence of prior execution stages. It then invokes the user's shell to perform a global npm installation:

The package name antigravity corresponds to an existing npm package that was originally published over a decade ago and has not been recently updated. Installing a long-standing package with no recent development activity introduces additional ambiguity, as it resembles a legitimate dependency installation. At the same time, recent download activity associated with this package shows a noticeable increase, aligning with observed campaign activity.

Listing for the antigravity package on npm

In observed cases, the npm installation may fail with an error such as:

The installation references a non-default tag (@install) rather than a standard version or the default @latest tag. In observed cases, this tag does not resolve to an available package version.

As the terminal has already been cleared, this output is presented without context, potentially appearing as an isolated npm error rather than part of a broader execution chain.

In other variants, postinstall.js displays a benign success message to the user instead of performing additional installation steps. For example:

The output is written directly to the user's terminal, reinforcing the appearance of a successful and legitimate installation.

Infrastructure and campaign tracking

Jamf Threat Labs identified multiple GitHub repositories associated with this activity. Across seven analyzed repositories, consistent command-and-control (C2) infrastructure was observed.

All variants communicate with the same domain:

hxxps://trackpipe|.]dev

Each repository uses a distinct identifier when interacting with the C2. These identifiers are observed as UUIDs embedded within the request path. Observed identifiers associated with this activity are included in the Indicators of compromise section.

In addition to per-repository identifiers, multiple variants were observed setting a NODE_CHANNEL environment variable when launching the secondary payload. Observed values include:

Tese values are passed to the stage-two payload (GhostLoader), where they are used during subsequent communication with the C2 infrastructure. JFrog Security Research previously reported a different value (complexarchaeologist1), suggesting variation across campaign iterations.

The reuse of a single domain in combination with unique identifiers allows activity to be segmented across different repositories or lures.

Conclusion

This campaign highlights a continued shift in attacker tradecraft, where distribution methods extend beyond traditional package registries into platforms such as GitHub and emerging AI-assisted development workflows. By leveraging trusted ecosystems and standard installation practices, attackers are able to introduce malicious code into environments with minimal friction.

This trend is not isolated. In recent weeks, multiple campaigns, including Glassworm and PolinRider, have demonstrated similar use of software supply chain-style techniques to distribute malicious code at scale. Rather than targeting individual users directly, these approaches enable attackers to impact a larger number of systems through a single delivery mechanism. The use of staged repositories, combined with familiar installation workflows, increases the likelihood of execution while reducing suspicion.

Users and developers should remain cautious when executing installation commands sourced from online content, including repositories and automated tooling. Validating the origin and behavior of code prior to execution remains a critical step in reducing exposure.

Jamf Threat Labs continues to monitor this activity and track related infrastructure and variants. In the Jamf Protect console of Jamf for Mac, customers should set Threat Prevention, Advanced Threat Controls and Web Protection to Block and Report to help prevent execution of similar threats.

Indicators of compromise

Get the latest research from Jamf Threat Labs.