GhostClaw Exploits GitHub And AI Workflows

Jamf Threat Labs and JFrog researchers this month detailed GhostClaw, a multi-stage macOS infostealer that now uses GitHub repositories and AI-assisted agent workflows to harvest credentials and deploy secondary payloads. They identified at least eight malicious repositories that build trust with benign code and then introduce install scripts or SKILL.md manifests enabling automated or copy-paste infection. Defenders should treat copied installs and AI-suggested shell steps as untrusted.