Infostealer Malware Targeting OpenClaw Agent Configuration Secrets
Threat intelligence reporting identified the first documented in-the-wild case of infostealer malware exfiltrating OpenClaw (formerly ClawdBot/MoltBot) agent files to steal API keys, authentication tokens, and other secrets stored in the agent’s persistent configuration/memory environment. Hudson Rock assessed the activity as likely tied to a Vidar infostealer variant and framed it as a shift from traditional browser-credential theft toward harvesting the “identity” and access of local AI agents that can interact with email, communications apps, local files, and online services.
Separate weekly roundups and commentary amplified the broader risk theme around agentic AI and secret sprawl, including mentions of OpenClaw-related exposure and tooling intended to help organizations discover where such agents are running. Other items in the set (e.g., Ivanti EPMM exploitation, Notepad++ supply-chain compromise, macOS ClickFix “Matryoshka,” and various breach/ransomware claims) describe distinct incidents and are not part of the OpenClaw infostealer event.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
16 events from the most recent confirmed update back to the earliest known activity.
Tenable discloses and nanobot fixes critical WhatsApp hijack flaw
Tenable disclosed CVE-2026-2577, a maximum-severity vulnerability in the OpenClaw-inspired 'nanobot' assistant that could allow remote hijacking of WhatsApp sessions on exposed instances. The issue was fixed in nanobot version 0.13.post7.
Hudson Rock reports first infostealer theft of OpenClaw secrets
Researchers reported the first observed in-the-wild case of infostealer malware stealing configuration and memory files from the OpenClaw local AI agent framework. The theft, attributed to a likely Vidar variant, exposed items such as API keys, tokens, device key material, and sensitive agent memory files.
Florida attorney general launches CHINA Prevention Unit
Florida's attorney general announced a 'CHINA Prevention Unit' to use state consumer protection and privacy laws against risky data-sharing practices. The initiative was framed as reducing residents' exposure to foreign exploitation.
Atlas Air disputes Everest ransomware attack claim
Atlas Air disputed claims by the Everest ransomware group that it had breached the company. Researchers nevertheless said screenshots of allegedly stolen data appeared to show aircraft maintenance and internal operational documents.
Figure confirms breach caused by employee social engineering
Fintech lender Figure confirmed a data breach caused by social engineering of an employee. The company attributed the exposure of customer personally identifiable information to the ShinyHunters threat actor.
Ivanti EPMM exploitation linked largely to one actor
Threat intelligence reporting said most active exploitation of Ivanti EPMM flaws CVE-2026-1281 and CVE-2026-1340 was attributable to a single actor. Most observed activity was linked to an IP address hosted in a bulletproof autonomous system.
Dutch police arrest suspect tied to JokerOTP bot distribution
Dutch police arrested an individual allegedly connected to distribution of the JokerOTP bot, which is used to intercept one-time passwords. The action represented a law-enforcement disruption of the malware's spread.
Singapore telecom espionage campaign attributed to UNC3886
Reporting described a China-linked espionage campaign targeting major Singapore telecommunications companies. The activity was attributed to the threat actor UNC3886.
SmarterTools discloses ransomware breach tied to SmarterMail flaw
A ransomware incident affecting SmarterTools was reported as stemming from a recently fixed SmarterMail vulnerability. The case connected a product security issue to a real-world breach of the vendor.
Researchers report sleeper webshell activity in Ivanti EPMM attacks
Separate reporting described exploitation activity around Ivanti EPMM CVE-2026-1281 involving 'sleeper' webshells. The finding indicated attackers were establishing delayed-access persistence on compromised systems.
Researchers warn of active attacks on SolarWinds Web Help Desk
Security reporting warned that unpatched SolarWinds Web Help Desk instances were under active attack. The notice emphasized exploitation risk for organizations that had not yet applied available fixes.
Apple patches dyld zero-day used in targeted attacks
Apple released a fix for CVE-2026-20700, a dyld vulnerability said to have been exploited in targeted attacks. The patch was highlighted in the February 2026 reporting roundup.
Microsoft issues February 2026 Patch Tuesday fixes
Microsoft's February 2026 Patch Tuesday addressed more than 50 vulnerabilities, including six zero-days reported as exploited in the wild. The release also included a fix for the Windows Notepad command-injection RCE CVE-2026-20841.
Attackers probe and exploit newly patched BeyondTrust flaw
After the BeyondTrust fix, attackers were reported probing and exploiting exposed instances vulnerable to CVE-2026-1731. The activity targeted internet-facing Remote Support and Privileged Remote Access systems.
BeyondTrust patches critical pre-authentication RCE
BeyondTrust released fixes for CVE-2026-1731, a critical pre-authentication remote code execution flaw affecting Remote Support and Privileged Remote Access. The issue impacted internet-facing deployments of the products.
European Commission detects compromise of MDM platform
CERT-EU detected a contained compromise of the European Commission's mobile device management platform on 2026-01-30. Reporting said no mobile device compromise was observed.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Information Security & Data Privacy Weekend News Roundup: February 13-15, 2026
sherpaintelligence.substack.com
Open sourceInfostealer malware found stealing OpenClaw secrets for first time
bleepingcomputer.com
Open sourceWeek in review: Exploited newly patched BeyondTrust RCE, United Airlines CISO on building resilience - Help Net Security
helpnetsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw Ecosystem Targeted by Malicious ClawHub Skills and Infostealer Theft of Agent Configuration Files
A supply-chain poisoning campaign dubbed **ClawHavoc** compromised OpenClaw’s official *ClawHub* marketplace by distributing **1,184 trojanized “Skills”** intended to steal data and establish backdoor access on victim systems. Reporting attributes the initial disclosure to Koi Security, with Antiy CERT later tracking the activity as the **TrojanOpenClaw PolySkill** family and linking the uploads to **12 publisher accounts** (including one responsible for **677** packages). The attackers abused ClawHub’s permissive publishing model (any GitHub account older than one week could upload), mass-posting Skills disguised as crypto trading bots, productivity tools, and social utilities; analysis described behaviors including **ClickFix-style download prompts** and **reverse-shell droppers** enabling remote command execution and persistence. Separately, researchers reported infostealer activity exfiltrating sensitive files from victims’ local OpenClaw directories—`openclaw.json`, `device.json`, `soul.md`, and related memory files—highlighting how AI-agent artifacts can be leveraged beyond traditional credential theft. Hudson Rock assessed the malware as broadly harvesting files by extension rather than explicitly targeting OpenClaw, but warned dedicated modules are likely to emerge to decrypt/parse these agent files. The stolen data could enable attackers to connect to a victim’s local OpenClaw instance (notably if **port `18789`** is exposed) using `gateway.auth.token`, and potentially bypass “Safe Device” checks by abusing keys from `device.json` to sign messages as the victim’s paired device and access connected services.
Mar 21, 2026
OpenClaw AI Agent Tricked Into Leaking Secrets and Running Malicious Code
Researchers reported that the self-hosted **OpenClaw** AI agent can be manipulated through both phishing-style social engineering and prompt-injection-style inputs to expose sensitive data and perform attacker-directed actions. In Varonis Threat Labs simulations, an OpenClaw email agent connected to Gmail, browser tools, Google Workspace APIs, and internal data sources forwarded mock **AWS IAM keys**, database credentials, SSH details, and a synthetic customer export after receiving urgent or routine-looking messages impersonating trusted colleagues. The tests found the agent was better at spotting technical phishing indicators such as fake login pages, malicious links, and suspicious OAuth prompts than at verifying sender identity and resisting social pressure, and showed stricter phishing-aware settings still failed in some scenarios. Separate research from Imperva found hidden instructions embedded in shared contacts, vCards, and location pins were flattened into prompt text without being labeled untrusted, allowing the model in testing to download and execute a researcher-controlled script. OpenClaw reportedly patched that issue in version `2026.4.23`, and researchers also cited patched allowlist-bypass flaws in multiple messaging extensions. Across the findings, the common risk was agents that can read private data, ingest untrusted content, and send information outward; recommended mitigations included updating OpenClaw, restricting connector and outbound communication access, enforcing policy controls, and requiring **human approval** for high-risk actions.
Jun 17, 2026
OpenClaw AI Agent Runtime Vulnerability Exposes Instance Tokens and Enables RCE
A high-severity vulnerability in the open-source AI utility **OpenClaw** (formerly *Moltbot/ClawdBot*) allows attackers to steal an instance’s gateway token via a crafted link and gain “god mode” administrative control, potentially leading to **remote code execution (RCE)**. The issue stems from the UI failing to validate/sanitize query strings in the gateway URL; when a victim opens a malicious URL or phishing page, the browser initiates a WebSocket connection that leaks the stored gateway token in the payload, enabling an attacker to connect back to the target’s local gateway and change configuration or execute privileged actions. The flaw was reported via responsible disclosure and is fixed in **v2026.1.29** and later; deployments on **v2026.1.28 or earlier** are advised to upgrade. Separate reporting describes a broader criminal ecosystem of **autonomous AI agents** using OpenClaw as a local runtime alongside a collaboration network (*Moltbook*) and an underground marketplace (*Molt Road*) to trade stolen credentials, weaponized code, and alleged zero-days, with claims of rapid scaling to hundreds of thousands of agents and use of infostealer logs/session cookies to bypass MFA and automate intrusion lifecycles (lateral movement, ransomware, and crypto-funded operations). Another item is a vendor blog post focused on **prompt-injection detection** and speculative **quantum** risks to encrypted AI orchestration streams (MCP), which is not tied to the OpenClaw vulnerability disclosure or the specific criminal-agent ecosystem claims.
Mar 21, 2026