OpenClaw Under Siege: Hacking Groups Exploit AI Framework to Steal Credentials and Deploy Malware
In a concerning development, multiple hacking groups have launched coordinated attacks on OpenClaw, an open-source autonomous AI framework, to deploy malicious payloads and steal sensitive information. OpenClaw, formerly known as MoltBot and ClawdBot, has gained significant traction since its viral adoption in late January 2026. However, its architecture, which grants substantial system privileges and integrates with sensitive services, has made it an attractive target for cybercriminals.
Exploitation of OpenClaw Vulnerabilities
Within 72 hours of OpenClaw’s widespread deployment, threat actors began exploiting several critical vulnerabilities. These include a high-risk Remote Code Execution flaw (CVE-2026-25253), supply chain poisoning, and credential harvesting through exposed administrative interfaces. Analysts from Flare have observed over 30,000 compromised OpenClaw instances being used to steal API keys, intercept messages, and distribute information-stealing malware via platforms like Telegram.
ClawHavoc Campaign: A Notable Supply Chain Attack
One of the most damaging campaigns, dubbed ClawHavoc, was detected on January 29, 2026. This supply chain attack involved disguising malicious payloads, such as Atomic Stealer for macOS and keyloggers for Windows, as legitimate cryptocurrency tools. Users who installed these supposed setup scripts unknowingly downloaded malware capable of full-service compromise. This allowed attackers to extract persistent memory data and conduct lateral movements across enterprise systems.
Automated Skill Poisoning Through ClawHub
By early February, another campaign emerged through OpenClaw’s community marketplace, ClawHub. Due to the platform’s open publishing model and lack of code review, attackers uploaded backdoored skills from seemingly trustworthy GitHub accounts, such as Hightower6eu. These malicious updates executed remote shell commands, enabling attackers to exfiltrate OAuth tokens, passwords, and API keys in real time.
Exposure and Immediate Exploitation
A Shodan scan conducted on February 18, 2026, revealed over 312,000 OpenClaw instances running on the default port 18789, many of which lacked authentication and were accessible over the internet. Exposed administrative interfaces have exacerbated the crisis, with honeypot deployments recording exploitation attempts within minutes of exposure.
Implications and Recommendations
The OpenClaw incidents underscore a critical turning point in the security of autonomous AI agents. Organized threat groups have rapidly adapted, weaponizing an ecosystem that prioritized capability over cybersecurity. As OpenAI integrates OpenClaw’s developer, experts emphasize the urgent need for security-by-design approaches in future AI frameworks.
A Flare advisory recommends that organizations using or testing autonomous assistants secure API credentials and isolate AI workloads to mitigate potential risks.
