OpenClaw AI assistant users targeted: 341 malicious "skills" in official marketplace deploy password-stealing malware in a major supply chain attack.

Continue reading
A massive, coordinated software supply chain attack has compromised the very heart of the OpenClaw AI assistant ecosystem. Dubbed "ClawHavoc," the campaign flooded the platform's official "ClawHub" skill registry with 341 malicious plugins, using sophisticated social engineering to infect thousands of users with information-stealing malware. The discovery reveals an attack of unprecedented scale against a rapidly growing open-source AI tool, underscoring critical security gaps in emerging AI agent platforms.
The attack unfolded rapidly over a single week, exploiting the open and lightly moderated nature of the ClawHub marketplace.
| Date | Event |
|---|---|
| Jan 27 - 29, 2026 | Initial wave of at least 14 malicious "skills" uploaded to ClawHub. |
| Jan 27 - Feb 1, 2026 | Second, larger wave published, bringing the total to over 230 malicious packages across ClawHub and GitHub. |
| Feb 1 - 2, 2026 | Koi Security completes a full audit of all 2,857 skills on ClawHub, identifying 341 malicious entries—335 of which belong to the single ClawHavoc campaign. |
| Feb 2 - 3, 2026 | Widespread reporting by security firms and community researchers. OpenClaw creator introduces a user-reporting feature in response. |
The attackers meticulously crafted their malicious skills to appear as legitimate, high-demand utilities. Each skill contained professional-looking documentation with a critical "Prerequisites" section instructing users to install a tool called "AuthTool".
Following these instructions triggered the malware delivery, a method researchers compare to a "ClickFix"-type attack. The final payload for macOS is identified as Atomic macOS Stealer (AMOS), a commodity malware sold for $500–$1,000 per month on Telegram channels.
Once installed, the AMOS stealer is configured to exfiltrate a vast array of sensitive data, posing a severe risk to both personal and professional users. The malware's capabilities include:
| Data Type | Specific Targets |
|---|---|
| Financial & Crypto Assets | Cryptocurrency exchange API keys, wallet files (e.g., `wallet.dat`), seed phrases, and data from over 60 supported browser wallet extensions like MetaMask. |
| System & Developer Credentials | The entire macOS Keychain, SSH private keys and shell history, cloud service credentials (AWS, Google Cloud, Azure), and Git credentials. |
| Web Data & Communications | Saved passwords, cookies, and browser profiles from all major browsers (Chrome, Firefox, Safari, Edge), as well as Telegram session data. |
The ClawHavoc campaign displayed a high degree of organization and employed multiple evasion tactics:
This incident is not an isolated flaw but a symptom of systemic issues within the OpenClaw project, which has been described as a "security dumpster fire" by Laurie Voss, head of developer relations at Arize and former CTO of npm.
Security experts unanimously recommend a zero-trust approach toward AI agent extensions:
The ClawHavoc campaign is a watershed moment, demonstrating that AI agent ecosystems have become high-priority targets for sophisticated supply chain attacks.
The combination of deep system access, persistent memory, and untrusted third-party code creates a "lethal trifecta" of risk, as highlighted by Palo Alto Networks researchers.
As AI assistants evolve from novelties into integral parts of personal and business workflows, the industry must develop robust security frameworks—including code signing, automated registry scanning, and user education—to prevent extensibility from becoming its greatest vulnerability.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.
| Documents & Configuration Files |
| Files from user directories (Desktop, Documents) and sensitive `.env` files used by developers to store application secrets. |