Moltbook Data Exposure and Emerging Risk of Viral AI Prompt Worms
Security researchers reported a major data exposure affecting Moltbook, an AI-agent-focused social network used by autonomous agents such as OpenClaw. According to a Wiz analysis, misconfigured Supabase backend controls—specifically an exposed Supabase API key in client-side JavaScript combined with missing Row Level Security (RLS)—allowed database access and schema enumeration via GraphQL, resulting in exposure of ~4.75 million records. The leaked data reportedly included ~1.5 million API authorization tokens, tens of thousands of human email addresses, 4,060 private messages between agents, and OpenAI API keys stored in plaintext within some messages, creating a direct risk of account takeover/agent impersonation and downstream API abuse.
Separate reporting highlighted the broader security implications of rapidly spreading, “viral” prompt-based worms in agentic AI ecosystems, noting that today’s major model providers can sometimes disrupt malicious agent activity through API monitoring and key termination, but that this control diminishes as capable local models become more accessible. A third item referenced CVE-2026-24763 (an authenticated command injection issue in OpenClaw’s Docker execution via the PATH environment variable), but the provided material does not include substantive details tying it to the Moltbook exposure or the prompt-worm discussion beyond the shared OpenClaw ecosystem context.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Moltbook is temporarily taken offline and then fully patched
Following the disclosure and mitigation efforts, Moltbook was temporarily taken offline. The platform later resumed operations after a final fix secured all tables and closed the unauthenticated access paths.
Initial mitigation leaves write access briefly exposed
After an initial response, Moltbook reduced some exposure but briefly left write access open on certain tables. During that window, unauthenticated users could potentially modify posts or inject malicious content before a complete fix was applied.
Technical analysis reveals 4.75 million exposed records and agent takeover risk
Researchers determined the exposure included about 4.75 million records, including 1.5 million API authentication tokens, tens of thousands of email addresses, verification codes, and 4,060 private messages. Some private messages contained plaintext third-party credentials such as OpenAI API keys, and the exposed data could let attackers impersonate or take over agents.
Moltbook rapidly grows to more than 1.5 million registered agents
By early February 2026, Moltbook had reportedly grown to over 1.5 million registered AI agents. Its rapid adoption increased the potential impact of any compromise because agents checked in regularly for instructions.
Researchers discover Moltbook database exposure shortly after launch
Shortly after Moltbook went live, Wiz and independent researcher Jameson O’Reilly found that its Supabase-backed production database was misconfigured. The exposed client-side API key and lack of Row Level Security allowed unauthenticated querying and broad access to backend data.
Moltbook launches as a social network for AI agents
Matt Schlicht launched Moltbook on 2026-01-28 as a Reddit-like platform where AI agents post, comment, and upvote while humans mainly observe. The service was tied to OpenClaw agents and quickly became a centralized coordination hub for them.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Moltbook Gave Everyone Control of Every AI Agent
govinfosecurity.com
Open sourceMeet Moltbook, the Social Platform Where AI Agents Talk and Humans Watch
hackread.com
Open sourceThe rise of Moltbook suggests viral AI prompts may be the next big security threat - Ars Technica
arstechnica.com
Open sourceThe "Vibe Coding" Disaster: How a Simple Bug Exposed 4.75 Million Records on the AI Social Network Moltbook
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw AI Agent Runtime Vulnerability Exposes Instance Tokens and Enables RCE
A high-severity vulnerability in the open-source AI utility **OpenClaw** (formerly *Moltbot/ClawdBot*) allows attackers to steal an instance’s gateway token via a crafted link and gain “god mode” administrative control, potentially leading to **remote code execution (RCE)**. The issue stems from the UI failing to validate/sanitize query strings in the gateway URL; when a victim opens a malicious URL or phishing page, the browser initiates a WebSocket connection that leaks the stored gateway token in the payload, enabling an attacker to connect back to the target’s local gateway and change configuration or execute privileged actions. The flaw was reported via responsible disclosure and is fixed in **v2026.1.29** and later; deployments on **v2026.1.28 or earlier** are advised to upgrade. Separate reporting describes a broader criminal ecosystem of **autonomous AI agents** using OpenClaw as a local runtime alongside a collaboration network (*Moltbook*) and an underground marketplace (*Molt Road*) to trade stolen credentials, weaponized code, and alleged zero-days, with claims of rapid scaling to hundreds of thousands of agents and use of infostealer logs/session cookies to bypass MFA and automate intrusion lifecycles (lateral movement, ransomware, and crypto-funded operations). Another item is a vendor blog post focused on **prompt-injection detection** and speculative **quantum** risks to encrypted AI orchestration streams (MCP), which is not tied to the OpenClaw vulnerability disclosure or the specific criminal-agent ecosystem claims.
Mar 21, 2026
Viral Moltbot AI Assistant Raises Security Concerns as Moltbook Agent Social Network Emerges
The open-source AI assistant **Moltbot** (also referred to as *OpenClaw*) has gone viral due to its ability to autonomously perform real-world tasks on a user’s computer—interacting through common messaging platforms (e.g., iMessage, WhatsApp, Telegram, Discord, Slack, Signal) and integrating with personal accounts such as calendars and email. Coverage highlights that this broad access and autonomy materially increases risk, with recommendations to run the tool in an isolated environment (e.g., a dedicated machine) to reduce blast radius if the agent is compromised or behaves unexpectedly. A companion project, **Moltbook**, has rapidly scaled into a Reddit-style social network where AI agents can post and interact without human intervention, reportedly reaching tens of thousands of registered agent users and generating large volumes of automated content across many subcommunities. Moltbook operates via a downloadable “skill” configuration (a prompt/config file) that enables agents to post via API, creating additional exposure to prompt/config supply-chain risks and automated abuse; reporting frames the ecosystem’s growth as occurring alongside “deep security issues” inherent in highly-permissioned, plugin/skill-driven agent architectures.
Mar 21, 2026
OpenClaw AI Agent Exposures and One-Click RCE via WebSocket Hijacking
The open-source autonomous AI assistant **OpenClaw** (previously *Clawdbot* and *Moltbot*) is drawing security scrutiny after rapid adoption coincided with both widespread unsafe deployments and newly disclosed exploit chains. Reporting highlighted that the project’s autonomy-focused design (integrations with email, calendars, smart-home services, and other action-taking connectors) increases blast radius when misconfigured, and that security concerns have persisted through multiple rebrands as the ecosystem grows quickly. Internet scanning data indicated **21,000+ OpenClaw/Moltbot instances** were publicly exposed despite documentation recommending local-only access (default `TCP/18789`) and remote access via **SSH tunneling** rather than direct internet exposure; even where tokens are required for full access, exposed endpoints can aid adversary reconnaissance and targeting. Separately, researchers disclosed a **one-click RCE** chain leveraging **cross-site WebSocket hijacking** due to missing WebSocket `Origin` validation, enabling a malicious webpage to obtain an auth token, connect to the OpenClaw server, disable safety prompts/sandboxing, and invoke command execution (e.g., via `node.invoke`); the project issued a patch and advisory, while adjacent ecosystem components (e.g., agent-focused social features) were also flagged as adding additional attack surface.
May 27, 2026