300+ Trojanized GitHub Packages Use OpenClaw Docker Deployer as Bait to Steal Credentials

What Happened

Security firm Netskope discovered over 300 trojanized GitHub packages disguised as OpenClaw Docker deployers, according to Dark Reading on March 25, 2026. The malicious repositories contain a LuaJIT-based trojan that steals credentials and captures screenshots from developer machines, exfiltrating stolen data to command-and-control servers located in Frankfurt.

This campaign runs parallel to a separate threat identified by Kaspersky earlier in March, where infostealers mimicking Claude Code, OpenClaw, and other AI developer tools were distributed through fake documentation pages on Squarespace. The Kaspersky-identified malware delivers Amatera (targeting Windows) and the notorious AMOS stealer (targeting macOS), harvesting browser sessions, crypto wallet data, and credentials.

Why It Matters

The supply chain attack surface around OpenClaw continues to expand beyond ClawHub skills into the broader developer toolchain. The 300+ trojanized Docker deployer repos represent a significant escalation in sophistication — attackers are now targeting the deployment and infrastructure layer, not just the skill marketplace. Combined with the earlier ClawHavoc campaign that infected 1,184 ClawHub skills and the Kaspersky-identified fake installation pages, the pattern is clear: threat actors are systematically targeting every touchpoint where developers interact with the OpenClaw ecosystem. The Frankfurt C2 infrastructure suggests organized criminal operations rather than opportunistic attacks.

What's Next

Expect GitHub to implement additional verification measures for OpenClaw-related repositories. The security community may need to develop deployment-specific scanning tools similar to what Clawdex provides for ClawHub skills.

Related

• Clawdex — security scanner for ClawHub skills
• 135K exposed instances — the broader exposure landscape