A legitimate open-source game is being weaponized to distribute malware, and the attack chain is surprisingly sophisticated. Researchers have uncovered a campaign that exploits OpenClaw — a free, open-source remake of the 1997 platformer Captain Claw — to trick users into downloading info-stealing malware through GitHub repositories and manipulated Bing search results.
The scheme works like this. Attackers forked the real OpenClaw GitHub repository, injected malicious code into their version, and then somehow got Bing to surface their poisoned fork as a top search result. Anyone searching for the game on Microsoft’s search engine could easily end up on the malicious repo instead of the legitimate one. A textbook case of SEO poisoning meeting software supply chain abuse.
According to TechRadar, the campaign was discovered by security researcher Ax Sharma, who detailed how the forked repositories appeared convincing enough to fool casual users. The attackers didn’t just dump an obvious payload into the repo. They modified the game’s installer to include a secondary executable that runs silently alongside the legitimate game installation, making it far harder to detect.
The malware itself is an infostealer. Once installed, it targets browser-stored credentials, session cookies, cryptocurrency wallet data, and other sensitive information stored on the victim’s machine. It phones home to command-and-control servers and exfiltrates whatever it can grab. Standard playbook for this class of threat, but the delivery mechanism is what makes this campaign stand out.
GitHub has long been a target for this kind of abuse. The platform’s trust signal — developers inherently trust code hosted there more than random downloads — makes it a perfect vector. And forking is a core feature of how GitHub works, so there’s no obvious red flag when someone creates a copy of a popular repository. The attackers exploited that trust deliberately.
But here’s where Bing’s role gets interesting. Google dominates search, obviously, but Bing still powers a significant number of queries — particularly through Microsoft Edge’s default search, Copilot integrations, and enterprise environments where Microsoft services are standard. The attackers specifically optimized their malicious GitHub pages to rank well on Bing, not Google. That’s a deliberate targeting choice. It suggests they’re going after users who haven’t changed their default browser settings, which often correlates with less tech-savvy individuals. Exactly the kind of people who might download a nostalgic game remake without scrutinizing the source.
So what did the malicious repos actually look like? They closely mirrored the legitimate OpenClaw project, complete with README files, build instructions, and release binaries. The differences were subtle — modified build scripts, altered installer packages, and additional executables bundled into release archives. Unless you were comparing the fork against the original line by line, you wouldn’t catch it.
This isn’t an isolated incident. BleepingComputer and other security outlets have reported on a growing trend of attackers abusing GitHub’s infrastructure to distribute malware. Earlier this year, researchers at Phylum and Checkmarx documented campaigns using fake GitHub stars, typosquatted package names, and manipulated repository metadata to boost the visibility of malicious projects. The OpenClaw campaign adds search engine manipulation to that toolkit.
Microsoft hasn’t publicly commented on how the malicious fork managed to rank so prominently in Bing results. That’s a problem. If Bing’s algorithms can be gamed this easily to surface malware-laden GitHub repositories, it raises questions about what safeguards exist in Microsoft’s search indexing pipeline — especially given that Microsoft also owns GitHub.
For security teams and developers, the takeaways are straightforward but worth repeating. Don’t trust GitHub repositories at face value, even if they appear in search results. Verify you’re looking at the original project by checking the repository owner, creation date, commit history, and star count. Forks with recent creation dates and minimal community engagement are red flags.
Organizations should also consider whether their endpoint protection can detect this kind of sideloaded malware. The OpenClaw installer actually works — the game runs fine — which means users won’t immediately suspect anything is wrong. The malicious component operates in the background while the victim plays a perfectly functional platformer from 1997. Clever and effective.
There’s a broader point here too. Open-source games and hobbyist software projects are increasingly attractive targets because they tend to have smaller maintainer teams and less security infrastructure than major open-source libraries. Nobody’s running SCA tools against a Captain Claw remake. Attackers know this.
And the Bing angle shouldn’t be dismissed as niche. Microsoft has been aggressively pushing Bing through Windows defaults, Copilot, and Edge. Every new Windows installation defaults to Bing. Every Copilot query runs through Bing. That’s a massive attack surface if search result integrity can be compromised this easily.
The legitimate OpenClaw project, maintained on GitHub under its original repository, remains safe. The issue is entirely with unauthorized forks that have been modified to include malware. If you’ve downloaded OpenClaw recently — particularly through a Bing search result rather than a direct link — it’s worth scanning your system immediately.
GitHub has reportedly taken down some of the malicious forks, but the cat-and-mouse dynamic here is familiar. New forks can be created in minutes. Until GitHub and Microsoft implement more aggressive detection of malicious forks — or Bing adds better filtering for potentially dangerous repository links — this attack pattern will keep working.
WebProNews is an iEntry Publication