CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Malicious OpenClaw AI Coding Assistant Extension on VS Code Marketplace

First reported
Last updated
4 unique sources, 8 articles

Summary

Hide ▲

A malicious GitHub campaign, tracked as **"TroyDen's Lure Factory"**, is distributing over **300 Trojanized packages**, including a fake **OpenClaw Docker deployer**, to deliver a LuaJIT-based data-stealing Trojan. The campaign targets developers, gamers, and the general public with lures ranging from AI tools to game cheats, exploiting automated analysis gaps by splitting the payload into two components—a renamed Lua runtime and an encrypted script—that evade detection when analyzed separately. Once executed, the Trojan captures screenshots, performs geolocation, and exfiltrates credentials to a Frankfurt-based C2 server, with a **29,000-year sleep delay** to defeat sandboxes. GitHub was notified on **March 20, 2026**, but at least two lure repositories remain active. This follows a pattern of **supply-chain and social engineering attacks** leveraging OpenClaw’s popularity, including prior incidents like the **Cline npm compromise** (February 2026), **malicious ClawHub skills** pushing info-stealers, and **exposed OpenClaw instances** (40,000+ vulnerable deployments globally). Chinese authorities have restricted OpenClaw usage in state-run enterprises due to its **privileged system access and prompt injection risks**, while threat actors continue to distribute **fake installers** (e.g., Atomic Stealer, Vidar, GhostSocks proxy malware). Users are urged to **verify repository authenticity, isolate AI tools, and audit environments** for unexpected OpenClaw installations.

Timeline

  1. 14.03.2026 18:17 1 articles · 10d ago

    Chinese authorities restrict OpenClaw usage due to security risks

    Chinese authorities have moved to restrict state-run enterprises and government agencies from running OpenClaw AI apps on office computers in a bid to contain security risks. The ban is also said to extend to the families of military personnel. Threat actors have distributed malicious GitHub repositories posing as OpenClaw installers to deploy information stealers like Atomic and Vidar Stealer, and a Golang-based proxy malware known as GhostSocks.

    Show sources
    Open in new tab
  2. 20.02.2026 00:33 3 articles · 1mo ago

    Cline npm package supply chain attack installs OpenClaw

    The supply chain attack affected all users who installed the Cline CLI package version 2.3.0 during an eight-hour window on February 17, 2026. The attack did not impact Cline's Visual Studio Code (VS Code) extension and JetBrains plugin. Cline maintainers released version 2.4.0 to mitigate the unauthorized publication and revoked the compromised token. Microsoft Threat Intelligence observed a small but noticeable uptick in OpenClaw installations on February 17, 2026, due to the supply chain compromise. Users are advised to update to the latest version, check their environment for any unexpected installation of OpenClaw, and remove it if not required. The compromised Cline package was downloaded approximately 4,000 times during the eight-hour stretch.

    Show sources
    Open in new tab
  3. 03.02.2026 12:00 2 articles · 1mo ago

    Moltbook database misconfiguration exposes user data

    A self-styled social networking platform built for AI agents, Moltbook, contained a misconfigured database that allowed full read and write access to all data. The exposure was due to a Supabase API key exposed in client-side JavaScript, granting unauthenticated access to the entire production database. Researchers accessed 1.5 million API authentication tokens, 30,000 email addresses, and thousands of private messages between agents. The API key exposure allowed attackers to impersonate any agent on the platform, post content, send messages, and interact as that agent. Unauthenticated users could edit existing posts, inject malicious content or prompt injection payloads, and deface the site. The platform had 17,000 human 'owners' registered, and humans could post content disguised as 'AI agents' via a basic POST request. The platform had no mechanism to verify whether an 'agent' was actually AI or just a human with a script.

    Show sources
    Open in new tab
  4. 02.02.2026 21:11 2 articles · 1mo ago

    Malicious OpenClaw skills push password-stealing malware

    More than 230 malicious packages for OpenClaw (formerly Moltbot and ClawdBot) have been published in less than a week on the tool's official registry and on GitHub. These malicious skills impersonate legitimate utilities and inject information-stealing malware payloads onto users' systems, targeting sensitive data like API keys, wallet private keys, SSH credentials, and browser passwords. The malware dropped on macOS systems is identified as a variant of NovaStealer that can bypass Gatekeeper and target various sensitive data. Koi Security found 341 malicious skills on ClawHub, attributing them to a single campaign, and also identified 29 typosquats for the ClawHub name. The creator of OpenClaw, Peter Steinberger, admitted the inability to review the massive number of skill submissions, advising users to double-check the safety of skills before deployment. Users are recommended to isolate the AI assistant in a virtual machine, give it restricted permissions, and secure remote access to it. Threat actors can upload malicious skills to repositories like ClawHub that, when installed, run arbitrary commands or deploy malware.

    Show sources
    Open in new tab
  5. 28.01.2026 22:26 4 articles · 1mo ago

    Supply-chain attack via Moltbot Skill demonstrated

    A supply-chain attack against Moltbot users was demonstrated via a Skill that contained a minimal 'ping' payload. The developer published the skill on the official MoltHub (ClawdHub) registry and inflated its download count, making it the most popular asset. In less than eight hours, 16 developers in seven countries downloaded the artificially promoted skill. Additionally, a supply chain attack via the Cline npm package version 2.3.0 installed OpenClaw on users' systems, exploiting a prompt injection vulnerability in Cline's Claude Issue Triage workflow. The compromised package was downloaded approximately 4,000 times before being deprecated. Researchers at PromptArmor found that the link preview feature in messaging apps like Telegram or Discord can be turned into a data exfiltration pathway when communicating with OpenClaw by means of an indirect prompt injection.

    Show sources
    Open in new tab
  6. 28.01.2026 19:46 5 articles · 1mo ago

    Malicious Moltbot AI Coding Assistant Extension Discovered and Removed

    SecurityScorecard found 40,214 exposed OpenClaw instances associated with 28,663 unique IP addresses. 63% of observed deployments are vulnerable, with 12,812 instances exploitable via remote code execution (RCE) attacks. SecurityScorecard correlated 549 instances with prior breach activity and 1493 with known vulnerabilities. Three high-severity CVEs in OpenClaw have been discovered, with public exploit code available. OpenClaw instances are at risk of indirect prompt injection and API key leaks, primarily located in China, the US, and Singapore. China's National Computer Network Emergency Response Technical Team (CNCERT) has issued a warning about the security risks stemming from the use of OpenClaw, an open-source and self-hosted autonomous AI agent. OpenClaw's inherently weak default security configurations and privileged access to the system could be exploited by bad actors to seize control of the endpoint. Prompt injections in OpenClaw can cause the agent to leak sensitive information if tricked into accessing and consuming malicious content. Indirect prompt injection (IDPI) or cross-domain prompt injection (XPIA) attacks can manipulate benign AI features like web page summarization or content analysis to run manipulated instructions.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Ongoing Ghost Cluster Targets npm and GitHub in Multi-Stage Credential and Crypto Wallet Theft Campaign

A coordinated campaign tracked as Ghost continues to target developers via malicious npm packages and GitHub repositories to deploy credential stealers and cryptocurrency wallet harvesters. The operation leverages social engineering and multi-stage infection chains, including fake installation wizards that request sudo/administrator privileges and deceptive npm logs simulating dependency downloads and progress indicators. Stolen data—including browser credentials, crypto wallets, SSH keys, and cloud tokens—is exfiltrated to Telegram channels and BSC smart contracts. The campaign employs a dual monetization model combining credential theft via Telegram channels with affiliate link redirections stored in a BSC smart contract. Malicious npm packages first appeared under the user 'mikilanjijo', with operations beginning as early as February 2026 and expanding to at least 11 packages such as react-performance-suite and react-query-core-utils. The final payload is a remote access trojan that downloads from Telegram channels, decrypts using externally retrieved keys, and executes locally using stolen sudo passwords to harvest credentials and deploy GhostLoader.

Open in new tab

TeamPCP escalates CanisterWorm campaign with geopolitical targeting and multi-vector attacks

TeamPCP has expanded their multi-vector CanisterWorm campaign to target the LiteLLM PyPI package (versions 1.82.7 and 1.82.8), embedding credential-stealing malware with automatic execution mechanisms that harvested SSH keys, cloud provider credentials, Kubernetes secrets, database credentials, cryptocurrency wallets, and TLS/SSL private keys before exfiltrating data to attacker-controlled infrastructure and establishing persistent backdoors. The compromised versions were removed from PyPI by March 25, 2026, but researchers warn of downstream breach disclosures and follow-on intrusions due to the volume of stolen credentials. The campaign began as a supply-chain attack involving 47 compromised npm packages and the @teale.io/eslint-config variant, leveraging ICP canisters for decentralized C2 and persistence via masqueraded systemd services. It escalated to include GitHub repository hijacking (e.g., Aqua Security), Docker Hub compromise, and deployment of an infostealer, then pivoted to targeting CI/CD pipelines directly via GitHub Actions workflows (e.g., Checkmarx, Trivy) using stolen credentials. TeamPCP now compromises GitHub Actions workflows and Open VSX extensions to deploy the TeamPCP Cloud stealer, while refining destructive payloads targeting Iranian systems in Kubernetes environments with time-zone/locale-based wipers.

Open in new tab

Malicious npm Package Targets macOS Users with RAT and Credential Theft

A malicious npm package named "@openclaw-ai/openclawai" masquerades as an OpenClaw installer to deploy a remote access trojan (RAT) and steal sensitive data from macOS systems. The package, uploaded on March 3, 2026, has been downloaded 178 times and remains available. It targets system credentials, browser data, crypto wallets, SSH keys, Apple Keychain databases, and iMessage history, while also installing a persistent RAT with remote access capabilities and a SOCKS5 proxy. The malware uses social engineering to harvest system passwords and employs sophisticated persistence and command-and-control (C2) infrastructure. The package triggers its malicious logic via a postinstall hook, re-installing itself globally and displaying a fake command-line interface to mimic an OpenClaw installation. It then retrieves an encrypted second-stage payload from a C2 server, which is decoded and executed to continue running in the background. The malware also prompts users to grant Full Disk Access (FDA) to Terminal to access protected data. The second-stage payload is a comprehensive information stealer and RAT framework capable of persistence, data collection, browser decryption, C2 communication, and live browser cloning. Collected data is exfiltrated through multiple channels, including the C2 server, Telegram Bot API, and GoFile.io. The malware also monitors clipboard content for specific patterns related to private keys and cryptocurrency addresses. The impact of this malware is significant, as it can compromise sensitive user data and provide attackers with persistent access to infected systems. The sophisticated nature of the malware, including its use of social engineering and encrypted payload delivery, makes it a serious threat to macOS users.

Open in new tab

ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

Open in new tab

PromptSpy Android Malware Uses Gemini AI for Persistence

PromptSpy, an advanced Android malware, uses Google's Gemini AI to maintain persistence by pinning itself in the recent apps list. The malware captures lockscreen data, blocks uninstallation, gathers device information, takes screenshots, and records screen activity. It communicates with a hard-coded C2 server and is distributed via a dedicated website targeting users in Argentina. PromptSpy is the first known Android malware to use generative AI in its execution flow, sending screen data to Gemini to receive instructions for maintaining persistence. The malware is an advanced version of VNCSpy and is likely financially motivated. Researchers have discovered that PromptSpy was first found in February 2026, with initial samples uploaded to VirusTotal from Hong Kong and Argentina. ESET has not observed the malware in its telemetry, suggesting it may be a proof-of-concept. ESET attributed PromptSpy to Chinese developers with medium confidence, but has not linked it to any known threat actor. PromptSpy deploys a VNC module on compromised systems, enabling operators to view the victim’s screen and take full control of the Android device. The malware saves both its previous prompts and Gemini’s responses, allowing Gemini to understand context and coordinate multistep interactions.

Open in new tab