Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

OpenClaw-targeting infostealer file-grabbing activity

Malware Activity
First reported
Last updated
Happening score
H score 21
1 unique sources, 1 articles

Summary

Hide ▲

The infostealer’s first live attack against OpenClaw now matters because it used a broad file-grabbing routine to collect secrets, tokens, keys, and assistant context from local instances. The malware pulled openclaw.json and device.json, exposing the victim’s email address, workspace path, and gateway token. It also captured pairing keys and memory files that could enable remote access, impersonation, and deeper compromise of the user’s AI environment.

Related Happenings

OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)

Vulnerability
First: 15.05.2026 16:35 Last: 15.05.2026 16:35 Sources 1

About this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...

Open Happening

GhostLoader RAT-stealer via @openclaw-ai/openclawai

Malware Activity
First: 09.03.2026 20:31 Last: 09.03.2026 20:31 Sources 1

About this happening: A malicious **@openclaw-ai/openclawai** npm package is delivering **GhostLoader** to **macOS** hosts, enabling **credential theft**, **browser-session cloning**, and persistent re...

Open Happening

OpenClaw ClawJacked localhost WebSocket brute-force security flaw

Vulnerability
First: 01.03.2026 23:44 Last: 01.03.2026 23:44 Sources 1

About this happening: **OpenClaw**’s **ClawJacked** vulnerability allowed a **malicious website** to brute-force a **localhost WebSocket** connection and take control of a local instance, putting **ses...

Open Happening

ClawHub malicious skills deliver Atomic Stealer

Malware Activity
First: 28.02.2026 19:21 Last: 28.02.2026 19:21 Sources 1

About this happening: Researchers found **malicious skills** on **ClawHub** delivering a **new Atomic Stealer variant** to **macOS** users, turning the OpenClaw skills marketplace into a malware delive...

Open Happening

OpenClaw configuration environment leak exposing gateway token and pairing keys

Data Leak
First: 16.02.2026 20:43 Last: 16.02.2026 20:43 Sources 1

How related: The device.json file which contains the publicKeyPem and privateKeyPem of the user’s device.

About this happening: The **OpenClaw** configuration environment was exfiltrated by an information stealer, creating **remote access** and **impersonation** risk for the affected AI agent instance. The...

Latest development: 17.02.2026 11:35

Hudson Rock documented an OpenClaw user secrets exposure in which an infostealer used a broad file-grabbing routine to sweep sensitive file extensions and .openclaw directories, then collected openclaw.json, device.json, and memory files such as agents.md and memory.md. The stolen data exposed the victim’s email address, workspace path, gateway token, and device private keys, creating a path to remote access, impersonation, and broader compromise of the user’s digital identity.

Open Happening

Timeline

  1. 17.02.2026 11:35 2 articles · 3mo ago

    First live OpenClaw infostealer attack disclosure

    Initial Disclosure

    Hudson Rock reported that researchers witnessed the first live attack targeting an OpenClaw configuration environment and said an infostealer used a broad file-grabbing routine to sweep for sensitive file extensions and directories such as .openclaw. The analysis said the malware collected openclaw.json, device.json, soul.md, agents.md, and memory.md from a local OpenClaw instance user, exposing the victim’s email address, workspace path, gateway token, and device private keys with potential for remote access, impersonation, and compromise of paired cloud services.

    Show sources
    Open in new tab