OpenClaw / ClawHub Supply Chain Attack
AI Agent Ecosystem Compromised via Marketplace Poisoning and Memory Exploitation
Executive Summary
Between January and February 2026, the OpenClaw artificial intelligence agent ecosystem experienced a coordinated supply chain attack combining marketplace poisoning, architectural security weaknesses, and a critical remote code execution vulnerability. Security researchers identified between 30,000 and 42,665 internet-exposed instances globally, with 93.4% vulnerable to authentication bypass.
More than 1,184 malicious ClawHub packages were discovered, including 341 confirmed ClawHavoc campaign skills delivering Atomic macOS Stealer malware. This convergence of software supply chain compromise, persistent memory exploitation, and shadow AI deployment created systemic enterprise risk distinct from traditional application threats. Autonomous agent platforms operating with privileged access introduced a materially different threat model compared to standard applications.
22% of enterprises have employees running OpenClaw without IT approval. Shadow AI incidents cost an average of $670,000 more than standard breaches, significantly compounding exposure from this campaign for organizations without AI governance controls in place.
Key Findings:
- ▸Threat actors deployed legitimate-appearing skills through the ClawHub marketplace with minimal vetting controls
- ▸ClawHavoc campaign weaponized installation documentation by embedding malicious curl commands piped directly into bash
- ▸CVE-2026-25253 enabled one-click RCE via WebSocket token exfiltration, exploitable even on localhost-bound services
- ▸SOUL.md and MEMORY.md agent files were exploited for persistent memory poisoning and delayed execution
- ▸Harvested data included credentials, browser data, cryptocurrency wallets, and SSH keys transmitted to C2 infrastructure
- ▸AI agent platforms with privileged access require a fundamentally different security model than traditional applications
Detailed Threat Analysis
OpenClaw is an open-source autonomous AI agent framework capable of interfacing with messaging platforms, executing shell commands, accessing local file systems, and maintaining persistent state across sessions. The ClawHub marketplace allowed minimally vetted developers to publish skills that executed with system-level privileges, creating a scalable and largely unguarded attack surface with no meaningful supply chain controls.
OpenClaw agents maintain persistent memory through two key files: SOUL.md (agent identity and behavioral rules) and MEMORY.md (session history and learned context). Compromise of either file allows attackers to alter agent behavior, plant delayed execution instructions, or extract accumulated session intelligence without triggering standard security controls.
The ClawHavoc campaign weaponized installation documentation by embedding malicious prerequisite instructions. Users copying curl commands piped directly into bash executed Atomic macOS Stealer malware that harvested credentials, browser data, cryptocurrency wallets, and SSH keys before transmitting compressed archives to command and control infrastructure at 91.92.242.30.
One-Click Remote Code Execution via WebSocket Token Exfiltration. A malicious link can trigger authentication token disclosure, enabling attackers to authenticate to local OpenClaw gateways and execute arbitrary commands. Critically, this vulnerability is exploitable even when services are bound to localhost, bypassing assumed network isolation controls and making traditional perimeter defenses ineffective.
Campaign sophistication was high, demonstrating detailed knowledge of OpenClaw internals, ClawHub marketplace operations, and enterprise deployment patterns. Targeting was opportunistic, ranging from individual developers to large enterprises. Multiple distinct threat clusters were identified with overlapping TTPs, indicating either a single well-resourced actor or coordinated activity across affiliated groups.
Attack Chain Overview
The ClawHavoc attack chain progressed through four distinct phases, spanning supply chain infiltration through credential exfiltration. Analysis identified 18 techniques across 11 MITRE ATT&CK tactics, demonstrating coordinated exploitation of supply chain trust, scripting execution, credential theft, and encrypted C2 channels. The infrastructure flow ran: Supplier to Compromised to Organization to ClawHub C2.
Initial Access
- Phishing and spear-phishing emails
- OpenClaw malware delivery via ClawHub skills
- Service abuse via marketplace trust
Execution and Loading
- SOUL.md and MEMORY.md activation
- Malicious process execution
- curl|bash payload delivery
Lateral Movement and Persistence
- Automated SSH and C2 proxying
- Service creation and modification
- Malicious package drops
Credential Access and Exfiltration
- SOUL.md and MEMORY.md harvesting
- Automated data and file exfiltration
- Delivery to ClawHub C2 at 91.92.242.30
MITRE ATT&CK Mapping
Prevention and Mitigation
Organizations should immediately inventory all OpenClaw installations, isolate affected systems, and rotate all potentially exposed credentials including cloud provider keys, SSH keys, and browser-stored passwords. All instances should be upgraded to version 2026.2.14 or later. Marketplace skill installation should be disabled unless explicitly approved through a formal change control process.
Access Controls for Admins
- Enforce MFA and least privilege
- Thoroughly review all packages before install
- Restrict install permissions to approved roles
Network Segmentation
- Isolate critical OpenClaw instances
- Limit lateral movement paths
- Apply zero trust to AI workloads
Software Supply Chain Security
- Enforce package signing and sandboxing
- Audit and remove suspicious ClawHub skills
- Validate all packages before use
Enhanced Threat Monitoring
- Detect C2 communications at port 8000
- Continuously monitor OpenClaw workflows
- Alert on SOUL.md and MEMORY.md writes
Credential Security Hardening
- Lock sensitive files including aws_credentials
- Tokenize and protect secrets at rest
- Rotate all credentials post-incident
Awareness and AI Security Training
- Train developers on AI supply chain risks
- Educate on social engineering via AI platforms
- Enforce shadow AI governance policies
Long-term mitigation requires zero trust segmentation of AI workloads, deployment of prompt injection detection controls, monitoring of agent memory files, and formal governance over autonomous agent deployment enterprise-wide. Shadow AI usage must be controlled through enforceable policy and executive oversight before the next generation of AI agents is deployed.
Indicators of Compromise
Security teams should investigate the following indicators across host, traffic, file, and network telemetry. Additional indicators include suspicious processes executing from temporary directories, unexpected access to keychain databases, and anomalous encrypted outbound data transfers to cloud storage services.
Immediately hunt for outbound connections to 91.92.242.30 and port 8000 activity. Search process logs for curl commands piped to bash. Review SOUL.md and MEMORY.md files on all OpenClaw instances for unauthorized modifications or injected instructions.
Detection Analytics
Effective detection requires layered monitoring across installation, execution, credential access, and network communication phases. Behavioral analytics should focus on deviations within SOUL.md and MEMORY.md files that may indicate persistent memory poisoning or delayed execution logic embedded by attackers during the compromise window.
📊 Tactical Sigma Rules
- Log all system interactions with OpenClaw processes
- Detect external payload download attempts via curl
- Monitor for bulk data extraction from credential stores
🔍 Threat Hunting Queries
- Hunt for API anomalies and rare request patterns
- Identify scripted CURL or bash pipe invocations
- Flag suspicious C2 connections and auth attempts
☁️ Cloud and Tool Monitoring
- Monitor all OpenClaw workflow executions for anomalies
- Scan ClawHub skill inventory for suspicious packages
- Audit full supply chain pipeline for integrity violations
⚙️ Endpoint and Process Monitoring
- Analyze suspicious processes spawned by OpenClaw agent
- Monitor SOUL.md and MEMORY.md for unexpected writes
- Detect process injection behaviors at agent runtime
Reporting and Resources
Organizations experiencing suspected compromise should report incidents to CISA and coordinate with sector-specific information sharing organizations. Incident response teams should preserve forensic evidence, isolate impacted systems, and perform credential revocation across all affected environments. Continuous security architecture review is recommended prior to ongoing deployment of autonomous AI agents within enterprise environments.
Threat Intelligence Report
- In-depth ClawHavoc analysis
- Advanced technical details
- Risk assessment and impact
Technical Indicators
- Malicious IPs, hashes, and C2s
- OpenClaw-linked profiles
- TTPs and SQL queries
Community Exchange
- Info sharing and discussions
- ClawHavoc detection tips
- OpenClaw observations
External Guidance
- MITRE ATT&CK techniques
- CISA and threat bulletins
- Malware research blogs
CISA
central@cisa.dhs.gov
https://www.cisa.gov/report
FBI IC3
Internet Crime Complaint Center
https://www.ic3.gov
Sector ISACs
Coordinate with your sector-specific
information sharing organization
Ready to Take Action?
The Interactive Guide walks through the ClawHavoc attack chain step by step with a live IOC hunt checklist, clickable MITRE technique cards, and a detection playbook built for SOC analysts actively investigating this threat.
Explore the Interactive Guide →