GhostClaw is a new malware campaign that is actively going after macOS users through fake GitHub repositories and AI-assisted development workflows This article explores ghostclaw new malware. . The campaign uses social engineering that looks like real developer tools to steal user credentials and drop secondary payloads on infected systems.
After looking at several GitHub repositories connected to the activity, Jamf Threat Labs researchers found eight samples that were all part of the same campaign. TradingView-Claw, a well-known repository, had 386 GitHub stars, which gave it false credibility among users and developers who didn't know better. The effects of this campaign go beyond just the developers who work on it. Attackers were able to reach more systems with a single delivery method by putting bad code into trusted ecosystems like GitHub.
The malware follows a set of steps that are meant to steal credentials and stay on the victim's system. Installation is the first step in the process.sh is a bootstrapper script that looks like a normal setup tool but then quietly installs a version of Node.js that works with it. When running installation commands from GitHub repositories or online guides, users and developers should be extra careful.
One of the best ways to protect yourself is still to check where code comes from and what it does before running it. Security teams in charge of macOS environments should keep an eye out for unexpected use of dscl to check credentials. keep an eye out for processes that try to get Full Disk Access or write encrypted files to temporary folders. For more information on ZeroOwl and how to use it in your business, click here.
You can learn more about ZeroOwl by going to their website or following them on Twitter and Facebook. for news about new goods and services. for ZeroOwl, LinkedIn, and X to get more instant updates, set ZeroOwl as a preferred source in Google.
Set ZeroOwl as a preferred source in Google and X, and other places, so that X can get more instant updates.
