An AI-assisted campaign is spreading more than 300 poisoned packages for diverse assets ranging from developer tools to game cheats.
A widespread AI-assisted campaign promoting an OpenClaw Docker deployer package is spreading more than 300 Trojanized GitHub packages targeting developers and gamers alike with a data-stealing Trojan.
Identified by Netskope Threat Labs, the campaign, tracked as "TroyDen's Lure Factory," operates across multiple repositories on the developer site and includes various packages hiding behind a plethora of lures. They include software and components to enable deployment of the viral AI tool OpenClaw, another AI developer tool, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers, according to a report published this week.
The common thread of these various packages is that lurking within them is a LuaJIT-based Trojan that captures screenshots, performs victim geolocation, and exfiltrates sensitive data, according to the report. Netskope Threat Labs first discovered the packages in a GitHub repository distributing a custom LuaJIT Trojan engineered to evade automated detection.
Related:Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit
"The repository impersonated a Docker deployment tool for a legitimate AI project to deploy containerized OpenClaw, using the real upstream repository, a polished README, and a github.io page to appear authentic," Netskope senior staff threat research engineer Vini Egerland wrote in the post.
In fact, attackers took great pains to make the repository look real. They list multiple contributors, including a developer with a 568-star repository of their own who was invited to collaborate during a private pre-launch phase, Egerland explained. And that developer even contributed functional code, "possibly in good faith," he wrote.
Further investigation found other packages from the same creator hosted across multiple GitHub repositories, with more than 300 confirmed poisoned packages targeting developers, gamers, and the general public simultaneously.
Netskope informed GitHub on March 20 of the malicious projects and related packages, and two of the respository lures remain active on the site: the "Fishing Planet Cheat Menu" and the "phone-number-location-tracking-tool." GitHub could not immediately be reached for comment.
Related:How AI Coding Tools Crushed the Endpoint Security Fortress
"The threat only emerges when both components execute together, resulting in five anti-analysis checks, a sleep delay of roughly 29,000 years to defeat timed sandboxes, and an immediate full-desktop screenshot exfiltrated as soon as it executes, and credential theft behaviour," Egerland wrote.
Once activated, the malware quickly exfiltrates collected data to a command-and-control (C2) server in Frankfurt. The malware also embeds credential-theft capablities, indicating potential for follow-on compromise and lateral movement, Egerland noted.
As in more threat campaigns observed recently, the attackers appear to have used AI to help them in developing the campaign. Netskope observed evidence of this in the malicious package lure names, which refer to obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale.
Indeed, the campaign underscores a critical shift to attacker use of operational AI to build scalable, automated lure ecosystems, making a transition from isolated threats to a continuously generated, adaptive attack process, Egerland noted.
Related:Trivy Supply Chain Attack Targets CI/CD Secrets
"The result is a threat designed to pass every automated layer — individual file submission, behavioral sandbox, hash matching — and surface only when a human analyst runs everything together in context," he wrote.
Indeed, the sheer breadth of the lures used in the campaign indicates the threat actor is aiming for volume across audiences rather than precision targeting. This means that all defenders should treat any GitHub-hosted download "that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository looks," Egerland noted.
A comprehensive list of IOCs related to the campaign, including hashes, endpoint patterns, and offending GitHub accounts, is included in the report.
A widespread AI-assisted campaign promoting an OpenClaw Docker deployer package is spreading more than 300 Trojanized GitHub packages targeting developers and gamers alike with a data-stealing Trojan.
Identified by Netskope Threat Labs, the campaign, tracked as "TroyDen's Lure Factory," operates across multiple repositories on the developer site and includes various packages hiding behind a plethora of lures. They include software and components to enable deployment of the viral AI tool OpenClaw, another AI developer tool, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers, according to a report published this week.
The common thread of these various packages is that lurking within them is a LuaJIT-based Trojan that captures screenshots, performs victim geolocation, and exfiltrates sensitive data, according to the report. Netskope Threat Labs first discovered the packages in a GitHub repository distributing a custom LuaJIT Trojan engineered to evade automated detection.
Related:Checkmarx KICS Code Scanner Targeted in Widening Supply Chain Hit
"The repository impersonated a Docker deployment tool for a legitimate AI project to deploy containerized OpenClaw, using the real upstream repository, a polished README, and a github.io page to appear authentic," Netskope senior staff threat research engineer Vini Egerland wrote in the post.
Using OpenClaw as a Lure
The project intends to target users seeking easy installations of the OpenClaw project, with a README "that is polished and detailed, with installation instructions for both Linux and Windows" to reinforce a false legitimacy, Egerland wrote.In fact, attackers took great pains to make the repository look real. They list multiple contributors, including a developer with a 568-star repository of their own who was invited to collaborate during a private pre-launch phase, Egerland explained. And that developer even contributed functional code, "possibly in good faith," he wrote.
Further investigation found other packages from the same creator hosted across multiple GitHub repositories, with more than 300 confirmed poisoned packages targeting developers, gamers, and the general public simultaneously.
Netskope informed GitHub on March 20 of the malicious projects and related packages, and two of the respository lures remain active on the site: the "Fishing Planet Cheat Menu" and the "phone-number-location-tracking-tool." GitHub could not immediately be reached for comment.
Payload and AI Assist
The LuaJIT payload used in the campaign uses a two-component design: a renamed Lua runtime paired with an encrypted script. Each components passes sandbox analysis when either file is submitted alone, according to Netskope.Related:How AI Coding Tools Crushed the Endpoint Security Fortress
"The threat only emerges when both components execute together, resulting in five anti-analysis checks, a sleep delay of roughly 29,000 years to defeat timed sandboxes, and an immediate full-desktop screenshot exfiltrated as soon as it executes, and credential theft behaviour," Egerland wrote.
Once activated, the malware quickly exfiltrates collected data to a command-and-control (C2) server in Frankfurt. The malware also embeds credential-theft capablities, indicating potential for follow-on compromise and lateral movement, Egerland noted.
As in more threat campaigns observed recently, the attackers appear to have used AI to help them in developing the campaign. Netskope observed evidence of this in the malicious package lure names, which refer to obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale.
Indeed, the campaign underscores a critical shift to attacker use of operational AI to build scalable, automated lure ecosystems, making a transition from isolated threats to a continuously generated, adaptive attack process, Egerland noted.
Related:Trivy Supply Chain Attack Targets CI/CD Secrets
Automation-Busting Campaign
The campaign also represents "a purpose-built gap in the automated analysis pipeline" that requires defenders to go beyond automation to ensure the software development chain is protected, Egerland said. Indeed, the entire software supply chain is at risk if developers use a poisoned package to build legitimate software and it is not detected before the code is put into an operational environment."The result is a threat designed to pass every automated layer — individual file submission, behavioral sandbox, hash matching — and surface only when a human analyst runs everything together in context," he wrote.
Indeed, the sheer breadth of the lures used in the campaign indicates the threat actor is aiming for volume across audiences rather than precision targeting. This means that all defenders should treat any GitHub-hosted download "that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository looks," Egerland noted.
A comprehensive list of IOCs related to the campaign, including hashes, endpoint patterns, and offending GitHub accounts, is included in the report.