CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

First reported
Last updated
3 unique sources, 4 articles

Summary

Hide ▲

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords. Additionally, fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

Timeline

  1. 06.03.2026 00:37 1 articles · 23h ago

    Bing AI promoted fake OpenClaw GitHub repo pushing info-stealing malware

    Fake OpenClaw installers hosted on GitHub and promoted by Bing AI instructed users to run commands that deployed information stealers and proxy malware. Threat actors set up malicious GitHub repositories posing as OpenClaw installers, which were recommended by Bing in its AI-powered search results. The malicious repositories contained shell scripts paired with Mach-O executables identified as Atomic Stealer malware for macOS users. For Windows users, the threat actor delivered OpenClaw_x64.exe, which deployed multiple malicious executables, including Rust-based malware loaders and Vidar stealer. Another Windows executable delivered was the GhostSocks backconnect proxy malware, designed to convert users' machines into proxy nodes.

    Show sources
    Open in new tab
  2. 03.02.2026 18:30 3 articles · 1mo ago

    386 Malicious Skills Discovered Targeting Cryptocurrency Traders

    The article highlights various security concerns and vulnerabilities associated with OpenClaw, including zero-click attacks, indirect prompt injections, and misconfigured instances. The Chinese Ministry of Industry and Information Technology has issued an alert about misconfigured OpenClaw instances, urging users to implement protections against cyber attacks and data breaches.

    Show sources
    Open in new tab
  3. 02.02.2026 19:49 4 articles · 1mo ago

    341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

    OpenClaw has partnered with VirusTotal to scan skills uploaded to ClawHub using VirusTotal's threat intelligence and Code Insight capability. Skills with a 'benign' Code Insight verdict are automatically approved by ClawHub, while those marked suspicious are flagged with a warning. Any skill deemed malicious is blocked from download, and all active skills are re-scanned daily. OpenClaw acknowledges that VirusTotal scanning is not a silver bullet and some malicious skills may still slip through. OpenClaw plans to publish a comprehensive threat model, public security roadmap, formal security reporting process, and details about the security audit of its entire codebase.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

OpenClaw Security Concerns and AI Agent Exploits

OpenClaw, an AI agent platform, faces significant security concerns as attackers exploit its ecosystem. Malicious skills on ClawHub, a public skills registry, have been discovered, and threat actors are discussing the deployment of OpenClaw skills for botnet operations. The number of malicious packages on npm and PyPI with the name 'claw' has surged, providing new avenues for threat actors. Additionally, attackers are actively scanning exposed OpenClaw gateways, attempting prompt injection and command execution. These developments highlight the risks associated with AI agents' broad permissions and unsupervised deployment.

Open in new tab

OpenClaw AI Agent Security Concerns in Business Environments

OpenClaw, an open-source AI agent formerly known as MoltBot and ClawdBot, has rapidly gained popularity on GitHub, raising significant security concerns due to its extensive access to user systems and data. The AI agent can execute commands, manage files, and interact with various platforms, posing risks such as prompt injection and unauthorized access. Despite its growth, security experts warn about the dangers of integrating such AI agents into corporate environments without proper safeguards. The project has seen a 14-fold increase in adoption within a week, with over 113,000 stars on GitHub. However, its rapid development and extensive access capabilities have led to concerns about potential data breaches and supply chain risks. Experts emphasize the need for better security practices to mitigate these risks.

Open in new tab

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

A malicious Microsoft Visual Studio Code (VS Code) extension named "ClawdBot Agent - AI Coding Assistant" was discovered on the official Extension Marketplace. The extension, which posed as a free AI coding assistant, stealthily dropped a malicious payload on compromised hosts. The extension was taken down by Microsoft after being reported by cybersecurity researchers. The malicious extension executed a binary named "Code.exe" that deployed a legitimate remote desktop program, granting attackers persistent remote access to compromised hosts. The extension also incorporated multiple fallback mechanisms to ensure payload delivery, including retrieving a DLL from Dropbox and using hard-coded URLs to obtain the payloads. Additionally, security researchers found hundreds of unauthenticated Moltbot instances online, exposing sensitive data and credentials. Moltbot, an open-source personal AI assistant, can run 24/7 locally, maintaining a persistent memory and executing scheduled tasks. However, insecure deployments can lead to sensitive data leaks, corporate data exposure, credential theft, and command execution. Hundreds of Clawdbot Control admin interfaces are exposed online due to reverse proxy misconfiguration, allowing unauthenticated access and root-level system access. More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. Users are advised to audit their configurations, revoke connected service integrations, and implement network controls to mitigate potential risks. A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, with most exposures located in China, the US, and Singapore. A supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised Cline package was downloaded approximately 4,000 times over an eight-hour stretch. OpenClaw has broad permissions and full disk access, making it a high-value implant for attackers. Cline released version 2.4.0 to address the issue and revoked the compromised token. The attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required.

Open in new tab