Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label OpenClaw. Show all posts
Vidar Stealer
Atomic Stealer Bing AI search security GitHub fake repositories malware OpenClaw Vidar Stealer

Malicious OpenClaw Installers on GitHub Exploit Bing AI Search to Spread Data-Stealing Malware

 

Cybersecurity researchers have uncovered a campaign where fake installers for OpenClaw were distributed through GitHub repositories and surfaced via Microsoft Bing’s AI-powered search results, ultimately infecting users with information-stealing and proxy malware.

OpenClaw, a widely used open-source AI assistant, is designed to perform tasks with access to local files and integrations across email, messaging platforms, and other online services. Its extensive permissions made it an attractive target for cybercriminals aiming to extract sensitive user data.

Threat actors leveraged this by uploading malicious instruction files and fake installers to GitHub, including listings that appeared in the tool’s official registry. The activity was identified last month by researchers at Huntress, a managed detection and response firm, who observed multiple malware variants being distributed to users attempting to install OpenClaw.

According to Huntress, attackers created deceptive GitHub repositories posing as legitimate OpenClaw installers. These repositories were even recommended in Bing’s AI-generated search results for the Windows version of the software, increasing their visibility and credibility.

The researchers noted that "just hosting the malware on GitHub was enough to poison Bing AI search results."

One such repository analyzed by Huntress looked convincing at first glance, as it was linked to a GitHub organization named “openclaw-installer,” which may have influenced Bing’s AI recommendations. Although the GitHub accounts behind these repositories were newly created, the attackers attempted to appear legitimate by copying code from the Cloudflare moltworker project.

For macOS users, the fake repository included installation instructions directing users to execute a bash command in Terminal. This command connected to another GitHub organization called “puppeteerrr” and a repository named “dmg,” which hosted malicious payloads.

"The repository contained a number of files that followed a theme of containing a shell script paired with a Mach-O executable,"

Huntress researchers identified this payload as Atomic Stealer malware.

Windows users were targeted through a fake installer named OpenClaw_x64.exe, which deployed several harmful executables. In one analyzed case, security tools such as Managed AV and Defender for Endpoint successfully quarantined the files before further damage occurred.

Most of the payloads were written in Rust and functioned as loaders to run information stealers directly in memory. Among them was the Vidar stealer, which retrieved command-and-control instructions via Telegram and Steam profiles.

Another payload delivered through the campaign was GhostSocks, a backconnect proxy malware that converts infected machines into proxy nodes. Such compromised systems can be used to access stolen accounts, bypass fraud detection systems, route malicious traffic, or conceal attacker activity.

During the investigation, Huntress uncovered multiple GitHub accounts and repositories linked to this campaign, all targeting individuals searching for OpenClaw installation files.

Although the malicious repositories have been reported to GitHub, it remains uncertain whether all of them have been removed.

Users are advised to rely on official sources when downloading software and to bookmark trusted websites instead of repeatedly searching for them online.
Read more »
Technology
AI ClawJacked Data OpenClaw Technology

Hackers Exploit OpenClaw Bug to Control AI Agent


Cybersecurity experts have discovered a high-severity flaw named “ClawJacked” in the famous AI agent OpenClaw that allowed a malicious site bruteforce access silently to a locally running instance and take control. 

Oasis Security found the issue and informed OpenClaw, a fix was then released in version 2026.2.26 on 26th February. 

About OpenClaw

OpenClaw is a self-hosted AI tool that became famous recently for allowing AI agents to autonomously execute commands, send texts, and handle tasks across multiple platforms. Oasis security said that the flaw is caused by the OpenClaw gateway service linking with the localhost and revealing a WebSocket interface. 

Attack tactic 

As cross-origin browser policies do not stop WebSocket connections to a localhost, a compromised website opened by an OpenClaw user can use Javascript to secretly open a connection to the local gateway and try verification without raising any alarms. 

To stop attacks, OpenClaw includes rate limiting. But the loopback address (127.0.0.1) is excused by default. Therefore, local CLI sessions are not accidentally locked out. 

OpenClaw brute-force to escape security 

Experts discovered that they could brute-force the OpenClaw management password at hundreds of attempts per second without any failed attempts being logged. When the correct password is guessed, the hacker can silently register as a verified device, because the gateway autonomously allows device pairings from localhost without needing user info. 

“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn't stand a chance,” Oasis said. 

The attacker can now directly interact with the AI platform by identifying connected nodes, stealing credentials, dumping credentials, and reading application logs with an authenticated session and admin access. 

Attacker privileges

According to Oasis, this might enable an attacker to give the agent instructions to perform arbitrary shell commands on paired nodes, exfiltrate files from linked devices, or scan chat history for important information. This would essentially result in a complete workstation compromise that is initiated from a browser tab. 

Oasis provided an example of this attack, demonstrating how the OpenClaw vulnerability could be exploited to steal confidential information. The problem was resolved within a day of Oasis reporting it to OpenClaw, along with technical information and proof-of-concept code.

Read more »
Technology
AI ClawJacked OpenAI OpenClaw Technology

ClawJack Allows Malicous Sites to Control Local OpenClaw AI Agents


Peter Steinberger created OpenClaw, an AI tool that can be a personal assistant for developers. It immediately became famous and got 100,000 GitHub stars in a week. Even OpenAI founder Sam Altman was impressed, bringing Steinberger on board and calling him a “genius.” However, experts from Oasis Security said that the viral success had hidden threats.

OpenClaw addressed a high-severity security threat that could have been exploited to allow a malicious site to link with a locally running AI agent and take control. According to the Oasis Security report, “Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented.” 

ClawJack scare

The threat was codenamed ClawJacked by the experts. CVE-2026-25253 could have become a severe vulnerability chain that would have allowed any site to hack a person’s AI agent. The vulnerability existed in the main gateway of the software. As OpenClaw is built to trust connections from the user’s system, it could have allowed hackers easy access. 

Assuming the threat model

On a developer's laptop, OpenClaw is installed and operational. Its gateway, a local WebSocket server, is password-protected and connected to localhost. When the developer visits a website that is controlled by the attacker via social engineering or another method, the attack begins. According to the Oasis Report, “Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn't block these cross-origin connections. So while you're browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”

Stealthy Attack Tactic 

The research revealed a smart trick using WebSockets. Generally, your browser is active at preventing different websites from meddling with your local files. But WebSockets are an exception as they are built to stay “always-on” to send data simultaneously. 

The OpenClaw gateway assumed that the connection must be safe because it comes from the user's own computer (localhost). But it is dangerous because if a developer running OpenClaw mistakenly visits a malicious website, a hidden script installed in the webpage can connect via WebSocket and interact directly with the AI tool in the background. The user will be clueless.

Read more »
Subscribe to: Comments (Atom)