How Fake AI Tool Installers Became a Malware Supply Chain Threat
Fake AI tool installers and poisoned extensions are malware supply chain attacks in which threat actors impersonate trusted developer or productivity tools, distribute counterfeit installers or extensions through popular platforms, and silently deliver remote access Trojans that steal credentials, hijack browsers, and compromise code repositories before victims notice anything is wrong. Attackers know developers spend their day inside IDEs, terminals, and package managers, so they now target those tools directly instead of attacking end users. The aim is high-value access: cloud accounts, CI/CD pipelines, and developer credential theft that opens the door to entire organizations. Once a single device is compromised, auto-update systems and build pipelines spread the malware to more systems. For defenders, this marks a shift from protecting only production systems to treating every extension, installer, and workflow in the developer stack as a potential attack vector.
Fake ChatGPT and Claude Installers Drop Deno RAT Malware
Attackers are hosting fake installers and plugins on GitHub and SourceForge that pose as ChatGPT, Claude, AutoTune, Kontakt, Ableton Live, and ZENOLOGY. These lures deliver a backdoor called DinDoor, which then loads a remote access Trojan built on the Deno JavaScript runtime. Compromised YouTube channels with AI-generated videos funnel viewers toward the malicious repositories, and those videos have already accumulated more than 50,000 views. The infection flow relies on developer trust: victims are told to open a terminal and paste commands that pull an MSI installer or PowerShell script from GitHub for both Windows and macOS. The script installs Scoop and WinGet, then uses them to install the legitimate Deno runtime. Deno, in turn, fetches and runs DinDoor from a remote server, executing the next stage in memory so it never touches disk and is harder for traditional antivirus to spot.
Deno-Based RATs, Wallet Theft, and Browser Hijacking
Once DinDoor establishes persistence using a registry Run key and phones home to its command-and-control server, it starts pulling additional payloads. In observed cases, one payload is a Deno-based RAT previously tracked as Smokest. This tool gives operators wide control: it can execute arbitrary commands and PowerShell scripts, capture screenshots, manage files, launch or kill processes, and open SOCKS5 proxy tunnels. Its built-in stealer targets more than 50 cryptocurrency wallets and browser profiles, enabling theft of stored credentials, cookies, and session tokens. That combination turns a single fake installer malware infection into a gateway for account takeover, lateral movement, and financial theft. The reliance on Deno and in-memory execution also makes the toolchain portable and easy to update, letting attackers rapidly tweak capabilities while keeping the same delivery infrastructure and social engineering tactics aimed at developers and creators.
GitHub Breach: Poisoned VS Code Extension and Developer Credential Theft
The same pattern of abusing developer trust appeared in the GitHub security breach traced to a poisoned VS Code extension. A compromised version of Nx Console, a popular extension with 2.2 million installs, was briefly live on the Visual Studio Marketplace as v18.95.0. CISA noted that this malicious build was delivered through VS Code’s automatic update mechanism, so developers who already trusted Nx Console could receive it without any manual installation. According to StepSecurity, the malicious version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and even targeted Claude Code configuration files under ~/.claude/settings.json. One GitHub employee who installed the poisoned VS Code extension gave attackers access to roughly 3,800 internal repositories. This incident shows how a single compromised plugin can become a poisoned VS Code extension that turns auto-update into a distribution channel for malware supply chain attacks.
Defending Developer Ecosystems from Poisoned Tools and Workflows
These incidents highlight how developer tools, extensions, and workflows are now prime targets for malware supply chain attacks. GitHub’s breach through Nx Console and campaigns like Megalodon, which injected malicious GitHub Actions workflows to harvest CI/CD secrets and cloud tokens, show attackers aiming straight at automation systems. CISA urges organizations to monitor and audit workflow files and contributor activity, especially pull requests or commits from automated accounts such as build-bot, auto-ci, ci-bot, or pipeline-bot. Developers should verify tool authenticity by checking publisher identities, signatures, and release notes before installation, and avoid running terminal one-liners copied from random videos or repositories. Organizations need detection tools that scan for compromised dependencies and monitor for anomalous behavior in CI/CD pipelines and IDE extensions. Treating every new plugin, action, or installer as untrusted until proven safe is becoming essential for GitHub security and beyond.