CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required. China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security risks stemming from the use of OpenClaw, an open-source and self-hosted autonomous AI agent. OpenClaw's inherently weak default security configurations and privileged access to the system could be exploited by bad actors to seize control of the endpoint. Prompt injections in OpenClaw can cause the agent to leak sensitive information if tricked into accessing and consuming malicious content. Indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA) attacks can manipulate benign AI features like web page summarization or content analysis to run manipulated instructions. Researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw. OpenClaw may inadvertently and irrevocably delete critical information due to its misinterpretation of user instructions. Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware. Attackers can exploit recently disclosed security vulnerabilities in OpenClaw to compromise the system and leak sensitive data. Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers. Threat actors have distributed malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks.

Timeline

  1. 14.03.2026 18:17 1 articles · 23h ago

    Chinese authorities restrict OpenClaw usage due to security risks

    Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers in a bid to contain security risks. The ban is also said to extend to the families of military personnel. Threat actors have distributed malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks.

    Show sources
    Open in new tab
  2. 20.02.2026 00:33 3 articles · 23d ago

    Cline npm package supply chain attack installs OpenClaw

    The supply chain attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required. The compromised Cline package was downloaded approximately 4,000 times during the eight-hour stretch.

    Show sources
    Open in new tab
  3. 03.02.2026 12:00 2 articles · 1mo ago

    Moltbook database misconfiguration exposes user data

    A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. The platform had 17,000 human 'owners' registered, and humans could post content disguised as 'AI agents' via a basic POST request. The platform had no mechanism to verify whether an 'agent' was actually AI or just a human with a script.

    Show sources
    Open in new tab
  4. 02.02.2026 21:11 2 articles · 1mo ago

    Malicious OpenClaw skills push password-stealing malware

    More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. The malware dropped on macOS systems is identified as a variant of NovaStealer that can bypass Gatekeeper and target various sensitive data. Koi Security found 341 malicious skills on ClawHub, attributing them to a single campaign, and also identified 29 typosquats for the ClawHub name. The creator of OpenClaw, Peter Steinberger, admitted the inability to review the massive number of skill submissions, advising users to double-check the safety of skills before deployment. Users are recommended to isolate the AI assistant in a virtual machine, give it restricted permissions, and secure remote access to it. Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware.

    Show sources
    Open in new tab
  5. 28.01.2026 22:26 4 articles · 1mo ago

    Supply-chain attack via Moltbot Skill demonstrated

    A supply-chain attack against Moltbot users was demonstrated via a Skill that contained a minimal 'ping' payload. The developer published the skill on the official MoltHub (ClawdHub) registry and inflated its download count, making it the most popular asset. In less than eight hours, 16 developers in seven countries downloaded the artificially promoted skill. Additionally, a supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised package was downloaded approximately 4,000 times before being deprecated. Researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw by means of an indirect prompt injection.

    Show sources
    Open in new tab
  6. 28.01.2026 19:46 5 articles · 1mo ago

    Malicious Moltbot AI Coding Assistant Extension Discovered and Removed

    SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, primarily located in China, the US, and Singapore. China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security risks stemming from the use of OpenClaw, an open-source and self-hosted autonomous AI agent. OpenClaw's inherently weak default security configurations and privileged access to the system could be exploited by bad actors to seize control of the endpoint. Prompt injections in OpenClaw can cause the agent to leak sensitive information if tricked into accessing and consuming malicious content. Indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA) attacks can manipulate benign AI features like web page summarization or content analysis to run manipulated instructions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

Open in new tab

PromptSpy Android Malware Uses Gemini AI for Persistence

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

Open in new tab

Six New OpenClaw Vulnerabilities Patched

OpenClaw has patched six new vulnerabilities in its agentic AI assistant, including server-side request forgery (SSRF), missing authentication, and path traversal bugs. The vulnerabilities range from moderate to high severity, with some lacking CVE IDs. The flaws affect various components, including the Gateway tool, Telnyx webhook authentication, and browser upload functionality. Endor Labs highlighted the importance of data flow analysis and defense-in-depth validation for AI agent infrastructure. The research also revealed ongoing security concerns, such as misconfigured instances exposed to the public internet and the risk of indirect prompt injection. One additional vulnerability remains unpatched, and major security concerns persist over OpenClaw's undocumented enterprise use.

Open in new tab

AI Assistants Abused as Command-and-Control Proxies

Researchers have demonstrated that AI assistants like Microsoft Copilot and xAI Grok can be exploited as command-and-control (C2) proxies. This technique leverages the AI's web-browsing capabilities to create a bidirectional communication channel for malware operations, enabling attackers to blend into legitimate enterprise communications and evade detection. The method, codenamed AI as a C2 proxy, allows attackers to generate reconnaissance workflows, script actions, and dynamically decide the next steps during an intrusion. The attack requires prior compromise of a machine and installation of malware, which then uses the AI assistant as a C2 channel through specially crafted prompts. This approach bypasses traditional defenses like API key revocation or account suspension. According to new findings from Check Point Research (CPR), platforms including Grok and Microsoft Copilot can be manipulated through their public web interfaces to fetch attacker-controlled URLs and return responses. The AI service acts as a proxy, relaying commands to infected machines and sending stolen data back out, without requiring an API key or even a registered account. The method relies on AI assistants that support URL fetching and content summarization, allowing attackers to tunnel encoded data through query parameters and receive embedded commands in the AI's reply. Malware can interact with the AI interface invisibly using a WebView2 browser component inside a C++ program. The research also outlined a broader trend: malware that integrates AI into its runtime decision-making, sending host information to a model and receiving guidance on actions to prioritize.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab