Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

OpenClaw configuration environment leak exposing gateway token and pairing keys

Data Leak
First reported
Last updated
Happening score
H score 26
2 unique sources, 2 articles

Summary

Hide ▲

The OpenClaw configuration environment was exfiltrated by an information stealer, creating remote access and impersonation risk for the affected AI agent instance. The stolen material included openclaw.json, device.json, and soul.md. Those files held a gateway token, pairing keys, and operational context that could let an attacker act as the client if the service port is exposed. The case shows stealer malware harvesting AI-agent identity and control data, not just browser credentials.

Related Happenings

OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)

Vulnerability
First: 15.05.2026 16:35 Last: 15.05.2026 16:35 Sources 1

About this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...

Open Happening

OpenAI hit by cyberattack

Incident
First: 14.05.2026 22:07 Last: 14.05.2026 22:07 Sources 1

About this happening: OpenAI confirmed **two employees' devices** were breached, giving attackers access to a limited set of internal source code repositories and forcing a precautionary rotation of **...

Open Happening

Lumma Stealer infection of a Context.ai employee

Malware Activity
First: 23.04.2026 11:40 Last: 23.04.2026 11:40 Sources 1

About this happening: A **Context.ai** employee was infected with **Lumma Stealer** in **February 2026**, giving attackers a likely foothold that may have seeded the wider compromise chain affecting **...

Open Happening

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

Open Happening

Cline AI coding assistant hit by network compromise

Incident
First: 09.03.2026 01:35 Last: 09.03.2026 01:35 Sources 1

About this happening: The **Cline** coding assistant suffered a **supply-chain compromise** that installed a rogue **OpenClaw** instance on **thousands of systems**, creating unauthorized **full system...

Open Happening

Timeline

  1. 17.02.2026 11:35 2 articles · 3mo ago

    OpenClaw user secrets exposure documented by Hudson Rock

    Initial Disclosure

    Hudson Rock documented an OpenClaw user secrets exposure in which an infostealer used a broad file-grabbing routine to sweep sensitive file extensions and .openclaw directories, then collected openclaw.json, device.json, and memory files such as agents.md and memory.md. The stolen data exposed the victim’s email address, workspace path, gateway token, and device private keys, creating a path to remote access, impersonation, and broader compromise of the user’s digital identity.

    Show sources
    Open in new tab
  2. 16.02.2026 20:43 1 articles · 3mo ago

    Hudson Rock discloses OpenClaw configuration exfiltration and token theft

    Initial Disclosure

    Hudson Rock disclosed an information stealer infection, likely a Vidar variant, that exfiltrated a victim's OpenClaw configuration environment and captured openclaw.json, device.json, and soul.md. The stolen gateway authentication token and pairing keys could enable remote connection to the affected OpenClaw instance if the port is exposed or allow authenticated impersonation of the client, while OpenClaw maintainers responded by announcing a VirusTotal partnership to scan ClawHub uploads, establish a threat model, and audit for misconfigurations.

    Show sources
    Open in new tab