A widespread campaign leveraging AI-assisted generation is distributing more than 300 compromised GitHub packages to developers and general users. Identified by Netskope Threat Labs, the operation, tracked as "TroyDen's Lure Factory," operates across multiple repositories on the platform and conceals malicious components behind a variety of software lures.
These lures include deployment files for the OpenClaw AI tool, a Telegram-promoted phone tracker, a Fishing Planet game utility, Roblox scripts, cryptocurrency tools, and VPN software. The common mechanism across these packages is a LuaJIT-based unauthorized component designed to perform system geolocation, capture screenshots, and exfiltrate sensitive data.
Netskope first discovered the packages in a GitHub repository distributing a custom LuaJIT tool engineered to evade automated detection systems.
"The repository impersonated a Docker deployment tool for a legitimate AI project to deploy containerized OpenClaw, using the real upstream repository, a polished README, and a github.io page to appear authentic," Netskope senior staff threat research engineer Vini Egerland wrote in the published report.
Establishing false legitimacy
To build credibility, the operation targets users seeking simple installations of the OpenClaw project. The repository featured a detailed README with installation instructions for both Linux and Windows environments.
The threat actors took significant steps to make the repository appear authentic. They listed multiple contributors, including an invitation to a developer with a highly starred repository during a private pre-launch phase. This developer subsequently contributed functional code to the project, likely in good faith.
Further investigation connected the creator to additional packages hosted across multiple GitHub repositories, totaling more than 300 confirmed compromised packages affecting diverse user bases simultaneously. Netskope reported the malicious projects to GitHub on March 20. At the time of the initial report, two repository lures, the "Fishing Planet Cheat Menu" and the "phone-number-location-tracking-tool"—remained active.
Component execution and evasion
The malicious software utilizes a two-component design: a renamed Lua runtime paired with an encrypted script. Netskope found that each component passes automated sandbox analysis when submitted individually.
"The threat only emerges when both components execute together, resulting in five anti-analysis checks, a sleep delay of roughly 29,000 years to defeat timed sandboxes, and an immediate full-desktop screenshot exfiltrated as soon as it executes, and credential theft behaviour," Egerland wrote.
Once active, the software exfiltrates collected data to a command-and-control (C2) server located in Frankfurt. The tool also embeds credential-theft capabilities, indicating a risk for lateral movement and further system compromise.
Evidence indicates the threat actors used operational AI to scale the campaign's infrastructure. The lure names systematically apply obscure biological taxonomy, archaic Latin, and medical terminology across the ecosystem. This approach demonstrates a shift toward using automated, AI-driven processes to build scalable threat environments, moving away from isolated incidents toward continuously generated threat infrastructure.
Defending the development pipeline
This operation exposes a specific gap in standard automated analysis pipelines, requiring security teams to apply contextual review to protect the software development life cycle. If developers incorporate a compromised package into legitimate software, the broader supply chain faces risk unless the code is identified before reaching an operational environment.
"The result is a threat designed to pass every automated layer. individual file submission, behavioral sandbox, hash matching — and surface only when a human analyst runs everything together in context," Egerland noted.
The sheer volume and breadth of the lures indicate the threat actor prioritizes scale over precision targeting. To defend against this methodology, organizations should treat any GitHub-hosted download that pairs a renamed interpreter with an opaque data file as a high-priority triage candidate, regardless of the surrounding repository's apparent legitimacy.
A comprehensive list of indicators of compromise (IOCs), including hashes, endpoint patterns, and associated GitHub accounts, is available in the Netskope report to assist security teams with detection and blocking rules.