A new bit of macOS malware called GhostClaw takes advantage of developer’s GitHub habits to spread across GitHub and AI developer tools, reports The Mac Observer.
Instead of using the usual software exploits, the information stealer hides inside of fake software development kits, trading tools, and utility repositories. It takes advantage of how developers often copy setup commands directly from a project’s documentation, by making the evil code appear to be a standard software installation step.
How GhostClaw Steals Information
Once a developer runs a contaminated install command, the malware quietly downloads a remote script in the background. While the script doesn’t attack the core of the Mac system, it triggers fake password prompts that look exactly like standard Apple security pop-ups. When an unsuspecting user types in their login credentials, GhostClaw steals that information.
The problem is compounded when automated AI coding assistants are in the mix. These tools often bypass human review completely, automatically fetching and executing external code blocks.
How to Protect Yourself Against GhostClaw
Developers and users can block this threat by being a bit more persnickety when using GitHub. Never copy and run any command that pipes straight into your terminal without reading it first. Download and check all scripts yourself. Also, be sure to examine a GitHub repository’s history. Be wary of any sudden changes to setup instructions or any suspicious gaps in updates. Last but not least, avoid giving system permissions unless you are sure about the tool asking for them and limit what your automated coding extensions can run autonomously.
