Hi —
Wanted to flag that https://github.com/abdallahLokmene/teamclaude is a soft-forked copy of your @karpeleslab/teamclaude project being used as cover for malware distribution. No action required from you — I've reported it to GitHub in parallel — but you may want to be aware in case future similar copies appear, or in case anyone reaches out to you confused about which copy is legitimate.
The pattern:
- The malicious copy preserves your commit history with your authorship intact, but was pushed as a standalone repo (not via GitHub's fork button) so it doesn't appear in your "Forks" tab.
- Their
package.json still declares "name": "@karpeleslab/teamclaude".
- Their README (last updated 2026-05-06) replaces all download links with
https://raw.githubusercontent.com/abdallahLokmene/teamclaude/master/screenshots/Software-2.9.zip — a binary hidden in the screenshots/ directory next to a real screenshot file.
- The ZIP contains an obfuscated Lua VM loader (Luraph-family obfuscation, 308KB, fully self-contained, no cleartext IOCs). The README instructs users to
npm install and npm start after extracting, which would execute the dropper alongside whatever modified JS the ZIP contains.
Hashes (extracted Lua payload):
- SHA-256:
455146d1a9f0ebe4733a3aa39902bbefe32066f08ff518e3ffb3bc3e62ff4141
- MD5:
6e294751c6ae682bf6567cc911cd863c
Owner profile: abdallahLokmene — burner account, created 35 minutes before the malicious repo, 1 public repo, 0 followers.
Suggestions if you want them, otherwise feel free to ignore:
- A short note in your README pointing to the legitimate npm package and warning about copy-paste downloads of "teamclaude" ZIPs from non-canonical sources
- Adding a
SECURITY.md so future reports have a defined channel
- Considering whether to publish a signed npm release notice
I have no commercial or competitive interest here — just spotted this while reviewing a sample a colleague flagged. Happy to share more detail (the README diff, the ZIP path, etc.) if useful.
Thanks for maintaining teamclaude. We rely on it.
— Ben
Hi —
Wanted to flag that
https://github.com/abdallahLokmene/teamclaudeis a soft-forked copy of your@karpeleslab/teamclaudeproject being used as cover for malware distribution. No action required from you — I've reported it to GitHub in parallel — but you may want to be aware in case future similar copies appear, or in case anyone reaches out to you confused about which copy is legitimate.The pattern:
package.jsonstill declares"name": "@karpeleslab/teamclaude".https://raw.githubusercontent.com/abdallahLokmene/teamclaude/master/screenshots/Software-2.9.zip— a binary hidden in thescreenshots/directory next to a real screenshot file.npm installandnpm startafter extracting, which would execute the dropper alongside whatever modified JS the ZIP contains.Hashes (extracted Lua payload):
455146d1a9f0ebe4733a3aa39902bbefe32066f08ff518e3ffb3bc3e62ff41416e294751c6ae682bf6567cc911cd863cOwner profile:
abdallahLokmene— burner account, created 35 minutes before the malicious repo, 1 public repo, 0 followers.Suggestions if you want them, otherwise feel free to ignore:
SECURITY.mdso future reports have a defined channelI have no commercial or competitive interest here — just spotted this while reviewing a sample a colleague flagged. Happy to share more detail (the README diff, the ZIP path, etc.) if useful.
Thanks for maintaining
teamclaude. We rely on it.— Ben