Fake ChatGPT and Claude installers on GitHub are dropping Deno RAT malware

Attackers are distributing counterfeit installers and plugins on trusted code-hosting platforms (GitHub, SourceForge), promoted via compromised YouTube channels, to deliver a DinDoor backdoor that loads a Deno-based RAT (Smokest). The toolset executes in memory using legitimately installed tooling (Scoop, WinGet, Deno), establishes persistence, enables remote command execution, file and process control, SOCKS5 tunneling, and includes a stealer targeting 50+ crypto wallet extensions and multiple browsers; it also streams live screens via Edge + WebRTC to evade detection. Malwarebytes observed active repositories that were removed, indicating an ongoing campaign that leverages legitimate platforms and developer tooling to remain under the radar.