Microsoft’s Bing AI-powered search feature recommended malicious GitHub repositories posing as installers for OpenClaw, an open-source AI agent, directing users toward software that deployed information stealers and proxy malware. The campaign was uncovered last month by researchers at managed detection and response firm Huntress.
OpenClaw functions as a personal assistant capable of accessing local files and integrating with email, messaging apps, and online services. That level of local access made it an attractive target. Threat actors created GitHub repositories designed to mimic legitimate OpenClaw installers, and Bing’s AI search surfaced them as recommended download links for users searching for the Windows version of the tool.
Huntress researchers noted that “just hosting the malware on GitHub was enough to poison Bing AI search results.” The implication is pointed: AI-enhanced search has not solved the fundamental problem of distinguishing between trustworthy and malicious sources, and in some cases may amplify the reach of harmful content by lending it algorithmic credibility.
How the Fake Repositories Were Built
The malicious repositories were organized under a GitHub account named openclaw-installer, lending them a surface-level appearance of legitimacy. The accounts were newly created but borrowed real code from the Cloudflare moltworker project to appear more convincing. Huntress believes this approach may have contributed to Bing’s AI treating them as credible sources.
The repositories offered separate infection chains depending on the target’s operating system. For macOS users, installation instructions directed them to paste a bash command in Terminal. That command reached a separate GitHub organization called puppeteerrr and a repository named dmg, which contained shell scripts paired with Mach-O executables. Huntress identified these as Atomic Stealer malware.
Windows Users Hit With Multiple Payloads
On the Windows side, the fake installer delivered a file called OpenClaw_x64.exe, which then dropped multiple malicious executables onto the machine. Most of these were Rust-based malware loaders designed to execute information stealers directly in memory, reducing their on-disk footprint and complicating detection.
More Read
One identified payload was Vidar stealer, which contacted Telegram and Steam user profiles to retrieve command-and-control data. Another executable delivered through the same chain was GhostSocks, a backconnect proxy that converts an infected machine into a proxy node. Attackers can use such nodes to access accounts using stolen credentials, bypassing fraud detection systems, or to route malicious traffic while obscuring their origin.
Huntress reported that its Windows Managed AV and Managed Defender for Endpoint solutions quarantined the malicious files on the customer’s machine that the researchers analyzed.
Scope and Reporting
During the investigation, Huntress identified multiple accounts and repositories tied to the same campaign. All of the malicious repositories have been reported to GitHub, though Huntress did not confirm whether they had been removed at the time of publication.
The incident reflects a broader pattern of threat actors exploiting the trust users place in AI-curated search results. The recommended mitigation is straightforward: bookmark official software portals directly rather than relying on search results to locate download links each time.
Photo by Ferenc Almasi on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
