“`html
A widespread misuse of OpenClaw, previously referred to as MoltBot and ClawdBot, by various hacking factions to release harmful payloads.
OpenClaw, an open-source self-operating AI framework created by Peter Steinberger, currently at OpenAI, has turned into a high-priority target after experiencing a rapid proliferation in late January 2026.
The system’s design provides extensive system permissions, enduring memory access, and linkage with confidential services, rendering it a prime candidate for credential theft and data extraction.
Within 72 hours of its extensive launch, malicious actors started taking advantage of several severe vulnerabilities.
These include the severe Remote Code Execution vulnerability (CVE-2026-25253), supply chain contamination, and credential collection through exposed management interfaces.
Flare analysts have documented over 30,000 compromised OpenClaw instances utilized to siphon API keys, intercept communications, and disseminate info-stealing malware via Telegram and other harmful communication methods.
ClawHavoc Campaign: Supply Chain Mass Deployment
One of the initial and most destructive campaigns, named “ClawHavoc,” was identified on January 29, 2026.
This procurement chain assault concealed harmful payloads such as Atomic Stealer (for macOS) and keyloggers (for Windows) masquerading as authentic crypto utilities.
Individuals installing from alleged “setup” scripts unwittingly downloaded stealer malware capable of complete service compromise, allowing attackers to retrieve persistent memory data and execute lateral movements across corporate systems.
By early February, a subsequent campaign, Automated Skill Poisoning Through ClawHub, emerged via the OpenClaw community marketplace.
Given the platform’s open publishing framework and absence of code evaluation, intruders uploaded backdoored “skills” from seemingly reliable GitHub accounts such as Hightower6eu.
These malevolent updates executed remote shell commands, enabling attackers to extract OAuth tokens, passwords, and API keys in real-time.
A Shodan scan conducted on February 18, 2026, identified over 312,000 OpenClaw instances operating on the default port 18789, many lacking authentication and exposed to the internet.
In the meantime, exposed administrative interfaces are aggravating the situation. Honeypot deployments have noted exploitation attempts within minutes of exposure.
The OpenClaw incidents highlight a significant turning point in the security landscape of autonomous AI agents. Organized threat factions have adjusted swiftly, weaponizing an environment that favored capability over cybersecurity.
As OpenAI absorbs OpenClaw’s developer, specialists caution that these challenges underscore the pressing need for security-by-design strategies in forthcoming AI frameworks.
A Flare advisory recommends that organizations employing or evaluating autonomous assistants safeguard API credentials and separate AI workloads.
“`