Find notable cyber news and cases, enriched with sources, timelines, and signals.

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First reported
Last updated
Happening score
H score 36
2 unique sources, 2 articles

Summary

Hide ▲

A last month campaign used fake OpenClaw installers on GitHub and Bing AI-promoted search results to push malware loaders and infostealers to people trying to install the tool. The operation mattered because it turned a legitimate software search into a delivery path for credential theft and proxy malware. It also affected both Windows and macOS users, widening the reach of the malicious lure.

Related Happenings

MacOS.Gaslight prompt-injection technique aimed at AI-assisted triage

Technical Analysis
H score23 First: 24.06.2026 17:00 Last: 24.06.2026 17:00 Sources 1

About this happening: **macOS.Gaslight** is a **Rust-based macOS implant and information stealer** assessed with high confidence as the work of **North Korea-aligned threat actors**. The sample uses **...

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

JustAskJacky fake AI assistant malware campaign

Campaign
H score33 First: 04.06.2026 17:00 Last: 04.06.2026 17:00 Sources 1

About this happening: The **JustAskJacky** campaign is distributing a fake **AI assistant** that installs a **backdoor**, turning trusted-looking software into a malware delivery path. The operation us...

DriveSurge large-scale website-hijack malware distribution campaign

Campaign
H score41 First: 02.06.2026 01:14 Last: 02.06.2026 01:14 Sources 1

About this happening: The **DriveSurge** campaign is redirecting visitors from **thousands of compromised websites** to **malware-delivery infrastructure**, creating a broad infection path through **Cl...

Openew[.]app cloaked malware download portal

Malware Activity
H score26 First: 29.05.2026 21:21 Last: 29.05.2026 21:21 Sources 1

About this happening: The **openew[.]app** malware-delivery activity now also uses **legitimate ChatGPT shared pages** as the first lure, with **Google ads** and **SEO poisoning** sending victims to a...

Timeline

  1. 09.03.2026 20:31 1 articles · 4mo ago

    Malicious npm package expands OpenClaw installer campaign

    Campaign Scope Update

    A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

    Show sources
  2. 06.03.2026 00:37 1 articles · 4mo ago

    Huntress reports fake OpenClaw GitHub installers

    Initial Disclosure

    Huntress reported a campaign in which newly created GitHub repositories posing as OpenClaw installers were promoted by Microsoft Bing AI search results, steering Windows users to OpenClaw_x64.exe and macOS users to a bash command that led to Atomic Stealer, while other payloads included Rust-based malware loaders, Vidar stealer, and GhostSocks backconnect proxy malware.

    Show sources