GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead

APPLICATION SECURITY CYBERATTACKS & DATA BREACHES REMOTE WORKFORCE THREAT INTELLIGENCE NEWS GitHub 'OpenClaw Deployer' Repo Delivers Trojan Instead An AI-assisted campaign is spreading more than 300 poisoned packages for diverse assets ranging from developer tools to game cheats. Elizabeth Montalbano,Contributing Writer March 24, 2026 4 Min Read SOURCE: KOSHIRO K VIA SHUTTERSTOCK A widespread AI-assisted campaign promoting an OpenClaw Docker deployer package is spreading more than 300 Trojanized GitHub packages targeting developers and gamers alike with a data-stealing Trojan.  Identified by Netskope Threat Labs, the campaign, tracked as "TroyDen's Lure Factory," operates across multiple repositories on the developer site and includes various packages hiding behind a plethora of lures. They include software and components to enable deployment of the viral AI tool OpenClaw, another AI developer tool, a Telegram-promoted phone tracker, a Fishing Planet game cheat, Roblox scripts, crypto bots, and VPN crackers, according to a report published this week.  The common thread of these various packages is that lurking within them is a LuaJIT-based Trojan that captures screenshots, performs victim geolocation, and exfiltrates sensitive data, according to the report. Netskope Threat Labs first discovered the packages in a GitHub repository distributing a custom LuaJIT Trojan engineered to evade automated detection.  Related:Trivy Supply Chain Attack Targets CI/CD Secrets "The repository impersonated a Docker deployment tool for a legitimate AI project to deploy containerized OpenClaw, using the real upstream repository, a polished README, and a github.io page to appear authentic," Netskope senior staff threat research engineer Vini Egerland wrote in the post.   Using OpenClaw as a Lure The project intends to target users seeking easy installations of the OpenClaw project, with a README "that is polished and detailed, with installation instructions for both Linux and Windows" to reinforce a false legitimacy, Egerland wrote. In fact, attackers took great pains to make the repository look real. They list multiple contributors, including a developer with a 568-star repository of their own who was invited to collaborate during a private pre-launch phase, Egerland explained. And that developer even contributed functional code, "possibly in good faith," he wrote. Further investigation found other packages from the same creator hosted across multiple GitHub repositories, with more than 300 confirmed poisoned packages targeting developers, gamers, and the general public simultaneously. Netskope informed GitHub on March 20 of the malicious projects and related packages, and two of the respository lures remain active on the site: the "Fishing Planet Cheat Menu" and the "phone-number-location-tracking-tool." GitHub could not immediately be reached for comment. Payload and AI Assist The LuaJIT payload used in the campaign uses a two-component design: a renamed Lua runtime paired with an encrypted script. Each components passes sandbox analysis when either file is submitted alone, according to Netskope. Related:CISOs Debate Human Role in AI-Powered Security "The threat only emerges when both components execute together, resulting in five anti-analysis checks, a sleep delay of roughly 29,000 years to defeat timed sandboxes, and an immediate full-desktop screenshot exfiltrated as soon as it executes, and credential theft behaviour," Egerland wrote. Once activated, the malware quickly exfiltrates collected data to a command-and-control (C2) server in Frankfurt. The malware also embeds credential-theft capablities, indicating potential for follow-on compromise and lateral movement, Egerland noted. As in more threat campaigns observed recently, the attackers appear to have used AI to help them in developing the campaign. Netskope observed evidence of this in the malicious package lure names, which refer to obscure biological taxonomy, archaic Latin, and medical terminology applied systematically at scale. Indeed, the campaign underscores a critical shift to attacker use of operational AI to build scalable, automated lure ecosystems, making a transition from isolated threats to a continuously generated, adaptive attack process, Egerland noted. Related:AI Conundrum: Why MCP Security Can't Be Patched Away Automation-Busting Campaign  The campaign also represents "a purpose-built gap in the automated analysis pipeline" that requires defenders to go beyond automation to ensure the software development chain is protected, Egerland said. Indeed, the entire software supply chain is at risk if developers use a poisoned package to build legitimate software and it is not detected before the code is put into an operational environment. "The result is a threat designed to pass every automated layer — individual file submission, behavioral sandbox, hash matching — and surface only when a human analyst runs everything together in context," he wrote. Indeed, the sheer breadth of the lures used in the campaign indicates the threat actor is aiming for volume across audiences rather than precision targeting. This means that all defenders should treat any GitHub-hosted download "that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of how legitimate the surrounding repository looks," Egerland noted. A comprehensive list of IOCs related to the campaign, including hashes, endpoint patterns, and offending GitHub accounts, is included in the report. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE