Infostealer Malware Targeting OpenClaw Agent Configuration Secrets
Threat intelligence reporting identified the first documented in-the-wild case of infostealer malware exfiltrating OpenClaw (formerly ClawdBot/MoltBot) agent files to steal API keys, authentication tokens, and other secrets stored in the agent’s persistent configuration/memory environment. Hudson Rock assessed the activity as likely tied to a Vidar infostealer variant and framed it as a shift from traditional browser-credential theft toward harvesting the “identity” and access of local AI agents that can interact with email, communications apps, local files, and online services.
Separate weekly roundups and commentary amplified the broader risk theme around agentic AI and secret sprawl, including mentions of OpenClaw-related exposure and tooling intended to help organizations discover where such agents are running. Other items in the set (e.g., Ivanti EPMM exploitation, Notepad++ supply-chain compromise, macOS ClickFix “Matryoshka,” and various breach/ransomware claims) describe distinct incidents and are not part of the OpenClaw infostealer event.
Timeline
Feb 16, 2026
Tenable discloses and nanobot fixes critical WhatsApp hijack flaw
Tenable disclosed CVE-2026-2577, a maximum-severity vulnerability in the OpenClaw-inspired 'nanobot' assistant that could allow remote hijacking of WhatsApp sessions on exposed instances. The issue was fixed in nanobot version 0.13.post7.
Feb 16, 2026
Hudson Rock reports first infostealer theft of OpenClaw secrets
Researchers reported the first observed in-the-wild case of infostealer malware stealing configuration and memory files from the OpenClaw local AI agent framework. The theft, attributed to a likely Vidar variant, exposed items such as API keys, tokens, device key material, and sensitive agent memory files.
Feb 16, 2026
Florida attorney general launches CHINA Prevention Unit
Florida's attorney general announced a 'CHINA Prevention Unit' to use state consumer protection and privacy laws against risky data-sharing practices. The initiative was framed as reducing residents' exposure to foreign exploitation.
Feb 16, 2026
Atlas Air disputes Everest ransomware attack claim
Atlas Air disputed claims by the Everest ransomware group that it had breached the company. Researchers nevertheless said screenshots of allegedly stolen data appeared to show aircraft maintenance and internal operational documents.
Feb 16, 2026
Figure confirms breach caused by employee social engineering
Fintech lender Figure confirmed a data breach caused by social engineering of an employee. The company attributed the exposure of customer personally identifiable information to the ShinyHunters threat actor.
Feb 16, 2026
Ivanti EPMM exploitation linked largely to one actor
Threat intelligence reporting said most active exploitation of Ivanti EPMM flaws CVE-2026-1281 and CVE-2026-1340 was attributable to a single actor. Most observed activity was linked to an IP address hosted in a bulletproof autonomous system.
Feb 15, 2026
Dutch police arrest suspect tied to JokerOTP bot distribution
Dutch police arrested an individual allegedly connected to distribution of the JokerOTP bot, which is used to intercept one-time passwords. The action represented a law-enforcement disruption of the malware's spread.
Feb 15, 2026
Singapore telecom espionage campaign attributed to UNC3886
Reporting described a China-linked espionage campaign targeting major Singapore telecommunications companies. The activity was attributed to the threat actor UNC3886.
Feb 15, 2026
SmarterTools discloses ransomware breach tied to SmarterMail flaw
A ransomware incident affecting SmarterTools was reported as stemming from a recently fixed SmarterMail vulnerability. The case connected a product security issue to a real-world breach of the vendor.
Feb 15, 2026
Researchers report sleeper webshell activity in Ivanti EPMM attacks
Separate reporting described exploitation activity around Ivanti EPMM CVE-2026-1281 involving 'sleeper' webshells. The finding indicated attackers were establishing delayed-access persistence on compromised systems.
Feb 15, 2026
Researchers warn of active attacks on SolarWinds Web Help Desk
Security reporting warned that unpatched SolarWinds Web Help Desk instances were under active attack. The notice emphasized exploitation risk for organizations that had not yet applied available fixes.
Feb 15, 2026
Apple patches dyld zero-day used in targeted attacks
Apple released a fix for CVE-2026-20700, a dyld vulnerability said to have been exploited in targeted attacks. The patch was highlighted in the February 2026 reporting roundup.
Feb 15, 2026
Microsoft issues February 2026 Patch Tuesday fixes
Microsoft's February 2026 Patch Tuesday addressed more than 50 vulnerabilities, including six zero-days reported as exploited in the wild. The release also included a fix for the Windows Notepad command-injection RCE CVE-2026-20841.
Feb 15, 2026
Attackers probe and exploit newly patched BeyondTrust flaw
After the BeyondTrust fix, attackers were reported probing and exploiting exposed instances vulnerable to CVE-2026-1731. The activity targeted internet-facing Remote Support and Privileged Remote Access systems.
Feb 15, 2026
BeyondTrust patches critical pre-authentication RCE
BeyondTrust released fixes for CVE-2026-1731, a critical pre-authentication remote code execution flaw affecting Remote Support and Privileged Remote Access. The issue impacted internet-facing deployments of the products.
Jan 30, 2026
European Commission detects compromise of MDM platform
CERT-EU detected a contained compromise of the European Commission's mobile device management platform on 2026-01-30. Reporting said no mobile device compromise was observed.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Affected Products
Sources
Related Stories
OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed **ClawHavoc** compromised OpenClaw’s official *ClawHub* marketplace by distributing **1,184 trojanized “Skills”** intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the **TrojanOpenClaw PolySkill** family and linking the uploads to **12 publisher accounts** (including one responsible for **677** packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including **ClickFix-style download prompts** and **reverse-shell droppers** enabling remote command execution and persistence. Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—`openclaw.json`, `device.json`, `soul.md`, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if **port `18789`** is exposed) using `gateway.auth.token`, and potentially bypass “Safe Device” checks by abusing keys from `device.json` to sign messages as the victim’s paired device and access connected services.
1 months ago
OpenClaw AI Agent Runtime Vulnerability Exposes Instance Tokens and Enables RCE
A high-severity vulnerability in the open-source AI utility **OpenClaw** (formerly *Moltbot/ClawdBot*) allows attackers to steal an instance’s gateway token via a crafted link and gain “god mode” administrative control, potentially leading to **remote code execution (RCE)**. The issue stems from the UI failing to validate/sanitize query strings in the gateway URL; when a victim opens a malicious URL or phishing page, the browser initiates a WebSocket connection that leaks the stored gateway token in the payload, enabling an attacker to connect back to the target’s local gateway and change configuration or execute privileged actions. The flaw was reported via responsible disclosure and is fixed in **v2026.1.29** and later; deployments on **v2026.1.28 or earlier** are advised to upgrade. Separate reporting describes a broader criminal ecosystem of **autonomous AI agents** using OpenClaw as a local runtime alongside a collaboration network (*Moltbook*) and an underground marketplace (*Molt Road*) to trade stolen credentials, weaponized code, and alleged zero-days, with claims of rapid scaling to hundreds of thousands of agents and use of infostealer logs/session cookies to bypass MFA and automate intrusion lifecycles (lateral movement, ransomware, and crypto-funded operations). Another item is a vendor blog post focused on **prompt-injection detection** and speculative **quantum** risks to encrypted AI orchestration streams (MCP), which is not tied to the OpenClaw vulnerability disclosure or the specific criminal-agent ecosystem claims.
1 months ago
AI and Open-Source Ecosystem Abused for Malware Delivery and Agent Manipulation
Multiple reports describe threat actors abusing *AI-adjacent* and open-source distribution channels to deliver malware or manipulate automated agents. Straiker STAR Labs reported a **SmartLoader** campaign that trojanized a legitimate-looking **Model Context Protocol (MCP)** server tied to *Oura* by cloning the project, fabricating GitHub credibility (fake forks/contributors), and getting the poisoned server listed in MCP registries; the payload ultimately deployed **StealC** to steal credentials and crypto-wallet data. Separately, researchers observed attackers using trusted platforms and SaaS reputations for delivery and monetization: a fake Android “antivirus” (*TrustBastion*) was hosted via **Hugging Face** repositories to distribute banking/credential-stealing malware, and Trend Micro documented spam/phishing that abused **Atlassian Jira Cloud** email reputation and **Keitaro TDS** redirects to funnel targets (including government/corporate users across multiple language groups) into investment scams and online casinos. In parallel, research highlights emerging risks where **AI agents and AI-enabled workflows become the target or the transport layer**. Check Point demonstrated “**AI as a proxy**,” where web-enabled assistants (e.g., *Grok*, *Microsoft Copilot*) can be coerced into acting as covert **C2 relays**, blending attacker traffic into commonly allowed enterprise destinations, and outlined a trajectory toward prompt-driven, adaptive malware behavior. OpenClaw featured in two distinct security developments: an OpenClaw advisory described a **log-poisoning / indirect prompt-injection** weakness (unsanitized WebSocket headers written to logs that may later be ingested as trusted context), while Hudson Rock reported an infostealer incident that exfiltrated sensitive **OpenClaw configuration artifacts** (e.g., `openclaw.json` tokens, `device.json` keys, and “memory/soul” files), signaling that infostealer operators are beginning to harvest AI-agent identities and automation secrets in addition to browser credentials.
1 months ago