GhostClaw Campaign Targets Developers, MCP Cryptocurrency Rug Pull, and Vishing Attacks Surge

25 Mar 2026

GhostClawmalwarePyPIPythonsupply_chain_attackcryptocurrencyrug_pullMCPvishingphishingsocial_engineeringMandiantdata_exfiltrationcredentials_theftTech

A campaign named GhostClaw compromised 178 developers by distributing malicious Python packages via PyPI, embedding obfuscated malware that exfiltrated sensitive data, including credentials and environment variables. Separately, a rug pull attack on the MCP (Multi-Chain Protocol) cryptocurrency project resulted in the theft of $1.2 million after developers abruptly removed liquidity and abandoned the project. Mandiant reported a surge in vishing (voice phishing) attacks, with threat actors increasingly impersonating IT support or financial institutions to trick victims into divulging credentials or installing malware. The incidents were disclosed in March 2026, with no specific CVEs or additional technical indicators provided in the report.