<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	
	>
<channel>
	<title>
	Comments for First Hackers News	</title>
	<atom:link href="https://firsthackersnews.com/comments/feed/" rel="self" type="application/rss+xml" />
	<link>https://firsthackersnews.com</link>
	<description>Latest cybersecurity news, real attacks, and practical IOCs—made simple and actionable.</description>
	<lastBuildDate>Thu, 02 Jul 2026 03:11:22 +0000</lastBuildDate>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.9.4</generator>
	<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Bernini Video		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27870</link>

		<dc:creator><![CDATA[Bernini Video]]></dc:creator>
		<pubDate>Thu, 02 Jul 2026 03:11:22 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27870</guid>

					<description><![CDATA[Verifying downloads before execution is non-negotiable for any terminal tool riding a hype wave like DeepSeek TUI. Beyond the published MD5 list, I always cross-check the repository commit history, maintainer signatures, and reproducible build status before pulling a binary from Releases. Signed tags, pinned SHA-256 manifests, and a CODEOWNERS gate would have caught several of the copycat repos described in the OpenClaw pattern, and treating every GitHub download as untrusted until the signature verifies is the only reliable mitigation.]]></description>
			<content:encoded><![CDATA[<p>Verifying downloads before execution is non-negotiable for any terminal tool riding a hype wave like DeepSeek TUI. Beyond the published MD5 list, I always cross-check the repository commit history, maintainer signatures, and reproducible build status before pulling a binary from Releases. Signed tags, pinned SHA-256 manifests, and a CODEOWNERS gate would have caught several of the copycat repos described in the OpenClaw pattern, and treating every GitHub download as untrusted until the signature verifies is the only reliable mitigation.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by video2x		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27832</link>

		<dc:creator><![CDATA[video2x]]></dc:creator>
		<pubDate>Tue, 30 Jun 2026 01:37:49 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27832</guid>

					<description><![CDATA[Verifying downloads before execution is critical, especially for trending tools like DeepSeek. I would recommend always cross-checking repository ownership, commit history, and matching published checksums against the actual binary. Beyond static hashes, maintainer signatures and reproducible builds remain the strongest defense against this kind of supply-chain impersonation campaign.]]></description>
			<content:encoded><![CDATA[<p>Verifying downloads before execution is critical, especially for trending tools like DeepSeek. I would recommend always cross-checking repository ownership, commit history, and matching published checksums against the actual binary. Beyond static hashes, maintainer signatures and reproducible builds remain the strongest defense against this kind of supply-chain impersonation campaign.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Unblur Image		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27808</link>

		<dc:creator><![CDATA[Unblur Image]]></dc:creator>
		<pubDate>Sun, 28 Jun 2026 22:24:00 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27808</guid>

					<description><![CDATA[The reuse of the OpenClaw infrastructure across DeepSeek, Claude, Grok, WormGPT, and FraudGPT lures is a clear sign that GitHub supply-chain trust collapses whenever a trending AI name surfaces. Hardening practices that actually work: pinning releases by SHA-256 together with a detached sigs file, gating any TUI binary on signed commits, and rejecting mirrors that lack CODEOWNERS or verified authorship before they reach internal installers. Worth folding that into the IoC playbook so defenders get the verification checklist, not just the hashes.The reuse of the OpenClaw infrastructure across DeepSeek, Claude, Grok, WormGPT, and FraudGPT lures is a clear sign that GitHub supply-chain trust collapses whenever a trending AI name surfaces. Hardening practices that actually work: pinning releases by SHA-256 together with a detached sigs file, gating any TUI binary on signed commits, and rejecting mirrors that lack CODEOWNERS or verified authorship before they reach internal installers. Worth folding that into the IoC playbook so defenders get the verification checklist, not just the hashes.]]></description>
			<content:encoded><![CDATA[<p>The reuse of the OpenClaw infrastructure across DeepSeek, Claude, Grok, WormGPT, and FraudGPT lures is a clear sign that GitHub supply-chain trust collapses whenever a trending AI name surfaces. Hardening practices that actually work: pinning releases by SHA-256 together with a detached sigs file, gating any TUI binary on signed commits, and rejecting mirrors that lack CODEOWNERS or verified authorship before they reach internal installers. Worth folding that into the IoC playbook so defenders get the verification checklist, not just the hashes.The reuse of the OpenClaw infrastructure across DeepSeek, Claude, Grok, WormGPT, and FraudGPT lures is a clear sign that GitHub supply-chain trust collapses whenever a trending AI name surfaces. Hardening practices that actually work: pinning releases by SHA-256 together with a detached sigs file, gating any TUI binary on signed commits, and rejecting mirrors that lack CODEOWNERS or verified authorship before they reach internal installers. Worth folding that into the IoC playbook so defenders get the verification checklist, not just the hashes.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Unblur Video		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27796</link>

		<dc:creator><![CDATA[Unblur Video]]></dc:creator>
		<pubDate>Sun, 28 Jun 2026 08:49:31 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27796</guid>

					<description><![CDATA[The OpenClaw rotation across DeepSeek, Claude, Grok, and FraudGPT branding is the clearest signal that attackers rely on users skipping basic verification. Before running any installer pulled from GitHub, it is worth pinning to a specific commit, validating the SHA-256 against a vendor-published checksum, and checking the release manifest for a signed artifact. Even for internal AI tooling, treating every typo-squatted repo as untrusted until ownership and signing keys are confirmed remains the strongest baseline defense.]]></description>
			<content:encoded><![CDATA[<p>The OpenClaw rotation across DeepSeek, Claude, Grok, and FraudGPT branding is the clearest signal that attackers rely on users skipping basic verification. Before running any installer pulled from GitHub, it is worth pinning to a specific commit, validating the SHA-256 against a vendor-published checksum, and checking the release manifest for a signed artifact. Even for internal AI tooling, treating every typo-squatted repo as untrusted until ownership and signing keys are confirmed remains the strongest baseline defense.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Audio Enhancer Ai		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27755</link>

		<dc:creator><![CDATA[Audio Enhancer Ai]]></dc:creator>
		<pubDate>Thu, 25 Jun 2026 23:12:19 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27755</guid>

					<description><![CDATA[Good walkthrough of the OpenClaw campaign. The pattern here mirrors what we keep seeing: a flashy repo, a green CI badge, and a release artifact that ships unsigned. We treat every GitHub-hosted binary as untrusted until we have matched the SHA-256 against a second channel, re-checked the GPG signature on the tag, and confirmed the commit history lines up with the maintainer&#039;s public announcements. For teams shipping internal tooling, pinning to a digest and gating installs behind an allowlist is the only reliable control — the IoC list helps, but the structural fix is making the verification path boring and repeatable.]]></description>
			<content:encoded><![CDATA[<p>Good walkthrough of the OpenClaw campaign. The pattern here mirrors what we keep seeing: a flashy repo, a green CI badge, and a release artifact that ships unsigned. We treat every GitHub-hosted binary as untrusted until we have matched the SHA-256 against a second channel, re-checked the GPG signature on the tag, and confirmed the commit history lines up with the maintainer&#8217;s public announcements. For teams shipping internal tooling, pinning to a digest and gating installs behind an allowlist is the only reliable control — the IoC list helps, but the structural fix is making the verification path boring and repeatable.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Happyhorse 1.0		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27743</link>

		<dc:creator><![CDATA[Happyhorse 1.0]]></dc:creator>
		<pubDate>Wed, 24 Jun 2026 23:14:32 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27743</guid>

					<description><![CDATA[Validating the published package checksums against the original DeepSeek TUI release is a baseline check, yet the social engineering layer matters just as much. Attackers betting on a GitHub Pages landing page and a lookalike repo name will keep winning as long as users skip the green-tag signature verification and the maintainer audit trail. Pinning a known-good version, comparing SHA-256 hashes, and treating any unsigned download as hostile would blunt most of the OpenClaw-style chains described in this writeup.]]></description>
			<content:encoded><![CDATA[<p>Validating the published package checksums against the original DeepSeek TUI release is a baseline check, yet the social engineering layer matters just as much. Attackers betting on a GitHub Pages landing page and a lookalike repo name will keep winning as long as users skip the green-tag signature verification and the maintainer audit trail. Pinning a known-good version, comparing SHA-256 hashes, and treating any unsigned download as hostile would blunt most of the OpenClaw-style chains described in this writeup.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Bernini AI		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27731</link>

		<dc:creator><![CDATA[Bernini AI]]></dc:creator>
		<pubDate>Tue, 23 Jun 2026 22:58:42 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27731</guid>

					<description><![CDATA[The OpenClaw activity mapped in this post is a textbook case of why terminal users should never trust a binary fetched directly from a GitHub release. Before running anything I always pull the SHA-256 from a second independent channel, verify it against a signed manifest, and re-check the GPG signature of the tag commit. Imposter repos like the one described here typically get a green CI badge and a few seeded stars to short-circuit that habit. Teams should also pin to a digest and add a release policy that requires maintainer confirmation on Discord or email before any install. The IoC list is useful, but the structural fix is treating every download as untrusted until it is signed and reproducible.]]></description>
			<content:encoded><![CDATA[<p>The OpenClaw activity mapped in this post is a textbook case of why terminal users should never trust a binary fetched directly from a GitHub release. Before running anything I always pull the SHA-256 from a second independent channel, verify it against a signed manifest, and re-check the GPG signature of the tag commit. Imposter repos like the one described here typically get a green CI badge and a few seeded stars to short-circuit that habit. Teams should also pin to a digest and add a release policy that requires maintainer confirmation on Discord or email before any install. The IoC list is useful, but the structural fix is treating every download as untrusted until it is signed and reproducible.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Gemini Omni		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27678</link>

		<dc:creator><![CDATA[Gemini Omni]]></dc:creator>
		<pubDate>Sat, 20 Jun 2026 18:24:44 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27678</guid>

					<description><![CDATA[The IoC catalog here is genuinely useful but the real defense lives upstream in the supply chain itself. Beyond matching hashes, validating cloned repos against vendor-published signing keys and pinned commit references would have caught most of these typo-squatted handles before any payload executes. I have been pushing the same checklist internally — verify release manifests, treat third-party installers as untrusted, and never rely on README aesthetics as a trust signal.]]></description>
			<content:encoded><![CDATA[<p>The IoC catalog here is genuinely useful but the real defense lives upstream in the supply chain itself. Beyond matching hashes, validating cloned repos against vendor-published signing keys and pinned commit references would have caught most of these typo-squatted handles before any payload executes. I have been pushing the same checklist internally — verify release manifests, treat third-party installers as untrusted, and never rely on README aesthetics as a trust signal.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by ASCII Art Generator		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27667</link>

		<dc:creator><![CDATA[ASCII Art Generator]]></dc:creator>
		<pubDate>Fri, 19 Jun 2026 17:48:50 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27667</guid>

					<description><![CDATA[The IoC table here is a genuinely useful baseline, but the real defense has to happen upstream — verifying every cloned repo against vendor-published checksums and signed release manifests before any binary ever runs. Beyond hash matching, treating GitHub handles and impersonator repos as untrusted by default is what catches typo-squatted names long before sandboxing ever will. A practical habit worth keeping is pinning to a specific commit, confirming the publisher&#039;s signing key, and avoiding curl-pipe-bash patterns regardless of how official the README looks.]]></description>
			<content:encoded><![CDATA[<p>The IoC table here is a genuinely useful baseline, but the real defense has to happen upstream — verifying every cloned repo against vendor-published checksums and signed release manifests before any binary ever runs. Beyond hash matching, treating GitHub handles and impersonator repos as untrusted by default is what catches typo-squatted names long before sandboxing ever will. A practical habit worth keeping is pinning to a specific commit, confirming the publisher&#8217;s signing key, and avoiding curl-pipe-bash patterns regardless of how official the README looks.</p>
]]></content:encoded>
		
			</item>
		<item>
		<title>
		Comment on DeepSeek Repositories Scam Spreads Malware by Kling AI Motion Control		</title>
		<link>https://firsthackersnews.com/fake-deepseek-malware-github/#comment-27629</link>

		<dc:creator><![CDATA[Kling AI Motion Control]]></dc:creator>
		<pubDate>Tue, 16 Jun 2026 11:27:22 +0000</pubDate>
		<guid isPermaLink="false">https://firsthackersnews.com/?p=11690#comment-27629</guid>

					<description><![CDATA[The IoC breakdown here is genuinely useful, especially the persistence chain via scheduled tasks and SSH keys — that pattern is easy to overlook in fast triage. Beyond hash matching, treating every cloned repo as untrusted until release artifacts are validated against vendor-published checksums or signed manifests remains the strongest baseline. Worth pushing that habit upstream too: typo-squatted handles and impersonator repos in monitoring feeds are usually caught earlier than post-download sandboxing ever will.]]></description>
			<content:encoded><![CDATA[<p>The IoC breakdown here is genuinely useful, especially the persistence chain via scheduled tasks and SSH keys — that pattern is easy to overlook in fast triage. Beyond hash matching, treating every cloned repo as untrusted until release artifacts are validated against vendor-published checksums or signed manifests remains the strongest baseline. Worth pushing that habit upstream too: typo-squatted handles and impersonator repos in monitoring feeds are usually caught earlier than post-download sandboxing ever will.</p>
]]></content:encoded>
		
			</item>
	</channel>
</rss>
