# Known Malicious ClawHub / GitHub Publishers
# Sources: Koi Security, VirusTotal, Bloom Security/JFrog, Snyk, OpenSourceMalware, Antiy CERT, Flare, Huntress, Socket, Lazarus
# Format: username|skill_count|campaign|notes
# Last updated: 2026-03-15

# ClawHavoc campaign (Koi Security + Antiy CERT update)
# Campaign expanded from 341 to 824+ skills, 1,184 malicious packages across 12 accounts
hightower6eu|354|clawhavoc|Primary ClawHavoc publisher, crypto/finance/social lures (up from 314)
sakaen736jih|199|clawhavoc|Automated submissions one every few minutes, second largest operator
davidsmorais|mixed|clawhavoc-takeover|Established 2016 account - suspected account takeover, mix of clean/malicious

# Bloom Security / JFrog campaign (3 distinct campaigns, 37 skills)
zaycv|multiple|bloom-campaign|ClawHub + GitHub publisher of malicious skills
noreplyboter|2|bloom-campaign|Published polymarket-all-in-one, better-polymarket (reverse shells)
rjnpage|1|bloom-campaign|Published rankaj (.env credential exfiltration via webhook)
aslaep123|multiple|bloom-campaign|Published reddit-trends (silent .env exfiltration)
gpaitai|multiple|bloom-campaign|GitHub account distributing malicious skills
lvy19811120-gif|multiple|bloom-campaign|GitHub account distributing malicious skills

# Snyk ToxicSkills campaign (Feb 5, 2026)
# 76 confirmed malicious payloads out of 3,984 scanned skills
# 8 malicious skills still publicly available at time of disclosure
clawdhub1|~100|snyk-clawdhub|Active variant of removed clawhub typosquat, drops reverse shells

# Snyk / OpenSourceMalware campaign
Ddoy233|1|opensourcemalware|GitHub repo openclawcli - Windows infostealer in password-protected ZIP

# GitHub accounts hosting malicious payloads
hedefbari|1|clawhavoc|GitHub hosting openclaw-agent.zip

# Fake OpenClaw installer campaign (Huntress, Feb-Mar 2026)
# Bing AI search poisoning promoted these repos to top results
# Distributed GhostSocks proxy malware + Vidar stealer via Stealth Packer
openclaw-installer|fake-repo|ghostsocks-vidar|GitHub fake installer repo (removed Feb 10, Huntress)
install-openclaw|fake-repo|ghostsocks-vidar|GitHub org/repo impersonating official installer
simple-claw|fake-repo|ghostsocks-vidar|GitHub org/repo cluster tied to fake installer campaign
comfyui-auto-installer|fake-repo|ghostsocks-vidar|Cross-project installer lure operated by same cluster
molt-bot|1|ghostsocks-vidar|Hosted openclaw-trading-assistant lure repository
JSfOMGi2|multiple|ghostsocks-vidar|Maintainer tied to fake installer and magic-install lures
pblockbDerp4|multiple|ghostsocks-vidar|Maintainer tied to fake installer and install-openclaw lures
wgodbarrelv4|multiple|ghostsocks-vidar|Maintainer tied to fake installer and openclaw-install lures

# SANDWORM_MODE worm publishers (Socket, Feb 20 2026)
# 19 typosquatted npm packages carrying MCP worm malware
sandworm-npm-actor1|19|sandworm-mode|Publisher of @anthropic/sdk-extra, claude-code-utils, and other typosquats
sandworm-npm-actor2|multiple|sandworm-mode|Secondary publisher tied to cursor-mcp-bridge, windsurf-mcp-bridge

# Lazarus XPACK campaign publishers (Feb 4 2026)
lazarus-bigmath|multiple|lazarus-xpack|Published bigmathutils (10K+ downloads before payload insertion)
lazarus-graphalgo|multiple|lazarus-xpack|Published graphalgo RAT distribution package

# Malicious MCP server publishers (Semgrep, Feb 2026)
postmark-mcp-actor|1|mcp-rugpull|Maintained postmark-mcp for 15 clean versions before adding BCC exfiltration
