TroyDen's Lure Factory GitHub Trojanized package campaign
Campaign
Summary
Hide ▲
Show ▼
The TroyDen's Lure Factory campaign is distributing 300+ Trojanized GitHub packages, broadening supply-chain risk for developers, gamers, and the general public. One of the main lures impersonates an OpenClaw Docker deployer, while other packages masquerade as a Telegram phone tracker, Fishing Planet cheat, Roblox scripts, crypto bots, and VPN crackers. The payload is a LuaJIT-based Trojan with credential-theft and data-exfiltration capability, and two lures remained active after GitHub was notified on March 20.
Related Happenings
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware Activity
First: 18.05.2026 11:57
Last: 18.05.2026 11:57
Sources 1
About this happening:
Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
Deadcode09284814 malicious npm packages delivering Phantom Bot and infostealers
Malware ActivityAbout this happening: Four **npm** packages published by **deadcode09284814** were found delivering **information-stealing malware** and **Phantom Bot** DDoS capability, putting installers at risk of *...
OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)
Vulnerability
First: 15.05.2026 16:35
Last: 15.05.2026 16:35
Sources 1
About this happening:
Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...
OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)
VulnerabilityAbout this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
Campaign
First: 12.05.2026 17:45
Last: 12.05.2026 17:45
Sources 1
About this happening:
The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Mini Shai-Hulud supply-chain campaign targeting npm and PyPI
CampaignAbout this happening: The **Mini Shai-Hulud** **supply-chain campaign** linked to **TeamPCP** expanded into downstream victim reporting, including **Grafana Labs**. Grafana said its **GitHub environmen...
Latest development: 21.05.2026 11:00
Grafana Labs said its GitHub environment was accessed and its codebase downloaded, with additional internal operational information taken from GitHub repositories, after compromise linked to the Mini Shai-Hulud campaign and TanStack npm packages. Grafana said it first spotted malicious activity on May 11, discovered the unauthorized download on May 17, and after contact from the ransom gang rotated automation tokens, enabled enhanced monitoring, audited commits since the May 11 incident, and hardened its GitHub security posture, while saying there is no indication customer production systems or operations were compromised.
Mini Shai-Hulud npm supply-chain malware wave
Malware Activity
First: 12.05.2026 14:07
Last: 12.05.2026 14:07
Sources 1
About this happening:
The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
Mini Shai-Hulud npm supply-chain malware wave
Malware ActivityAbout this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
Campaign
First: 30.04.2026 14:30
Last: 30.04.2026 14:30
Sources 1
About this happening:
A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
SEO-poisoned GitHub facade campaign targeting enterprise admin tools
CampaignAbout this happening: A **high-resilience SEO-poisoning campaign** is pushing **malicious MSI installers** through **dual-stage GitHub facades**, raising the risk that enterprise admins and security st...
Timeline
-
24.03.2026 16:59 1 articles · 2mo ago
Netskope notifies GitHub about malicious repositories
Mitigation Patch UpdateNetskope informed GitHub on March 20, 2026 about malicious GitHub projects and related packages tied to TroyDen's Lure Factory, and two lure repositories still remained active on the platform: Fishing Planet Cheat Menu and phone-number-location-tracking-tool.
Show sources
- GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead — www.darkreading.com — 24.03.2026 16:59
-
24.03.2026 16:59 2 articles · 2mo ago
Netskope identifies TroyDen's Lure Factory and its LuaJIT Trojan
Technical Analysis UpdateNetskope Threat Labs identified TroyDen's Lure Factory as a widespread GitHub supply-chain campaign using more than 300 Trojanized packages to pose as an OpenClaw Docker deployer and other lures for developers, gamers, and the general public. The malicious repository used a polished README, the real upstream repository, and a github.io page to appear authentic, while the LuaJIT-based payload combined a renamed Lua runtime with an encrypted script, captured screenshots, performed victim geolocation, exfiltrated data to a Frankfurt C2 server, and included credential-theft capabilities.
Show sources
- GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead — www.darkreading.com — 24.03.2026 16:59
- GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead — www.darkreading.com — 24.03.2026 16:59