Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

OpenClaw fake installer GitHub campaign promoted by Bing AI

Campaign
First reported
Last updated
Happening score
H score 39
2 unique sources, 2 articles

Summary

Hide ▲

A last month campaign used fake OpenClaw installers on GitHub and Bing AI-promoted search results to push malware loaders and infostealers to people trying to install the tool. The operation mattered because it turned a legitimate software search into a delivery path for credential theft and proxy malware. It also affected both Windows and macOS users, widening the reach of the malicious lure.

Related Happenings

Fake Gemini CLI and Claude Code SEO-poisoning infostealer campaign

Campaign
First: 22.05.2026 14:30 Last: 22.05.2026 14:30 Sources 1

About this happening: **Cyber threat actors** ran a **malicious SEO-poisoning campaign** that impersonated **Google Gemini CLI** and **Anthropic Claude Code** to push malicious downloads. The operation...

Open Happening

SHub Reaper macOS infostealer variant

Malware Activity
First: 19.05.2026 00:42 Last: 19.05.2026 00:42 Sources 1

About this happening: The **SHub Reaper** macOS infostealer now uses **AppleScript** and a fake **Apple security update** lure to infect Macs, raising the risk of credential theft and remote access. It...

Open Happening

OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)

Vulnerability
First: 15.05.2026 16:35 Last: 15.05.2026 16:35 Sources 1

About this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...

Open Happening

Fake Claude Code installation-page infostealer campaign targeting developers

Campaign
First: 11.05.2026 17:00 Last: 11.05.2026 17:00 Sources 1

About this happening: A **fake Claude Code** installer campaign is using **sponsored search results** and **operator-controlled domains** to deliver an **infostealer** to **developer workstations**, pu...

Open Happening

Open-OSS/privacy-filter Hugging Face infostealer activity

Malware Activity
First: 11.05.2026 10:05 Last: 11.05.2026 10:05 Sources 1

About this happening: A malicious **Hugging Face repository** called **Open-OSS/privacy-filter** impersonated **OpenAI's Privacy Filter** and delivered a **Rust-based information stealer** to **Windows...

Open Happening

Timeline

  1. 09.03.2026 20:31 1 articles · 2mo ago

    Malicious npm package expands OpenClaw installer campaign

    Campaign Scope Update

    A malicious npm package named @openclaw-ai/openclawai, uploaded on March 3, 2026, masquerades as an OpenClaw installer and uses a postinstall hook to launch scripts/setup.js, display a fake CLI and iCloud Keychain prompt, and fetch a second-stage payload from trackpipe[.]dev. The chain installs a persistent RAT internally identified as GhostLoader and steals macOS Keychain data, browser credentials, crypto wallets, SSH keys, Apple Notes, iMessage history, Safari history, and Mail data before exfiltrating a tar.gz archive through the C2 server, Telegram Bot API, and GoFile.io.

    Show sources
    Open in new tab
  2. 06.03.2026 00:37 1 articles · 2mo ago

    Huntress reports fake OpenClaw GitHub installers

    Initial Disclosure

    Huntress reported a campaign in which newly created GitHub repositories posing as OpenClaw installers were promoted by Microsoft Bing AI search results, steering Windows users to OpenClaw_x64.exe and macOS users to a bash command that led to Atomic Stealer, while other payloads included Rust-based malware loaders, Vidar stealer, and GhostSocks backconnect proxy malware.

    Show sources
    Open in new tab