ClawHavoc

ClawHavoc refers to a large-scale, coordinated supply-chain poisoning operation abusing ClawHub, the official skill marketplace for the OpenClaw AI agent framework. Threat actors uploaded hundreds of malicious “Skills” (reported counts ranging from an initial 341 to 824+, with claims of 900+ and up to 1,184 malicious skills overall) across many categories to trick users into executing payloads that install information stealers and backdoors and to exfiltrate sensitive data. The operation relied heavily on social engineering and deceptive documentation (professional-looking SKILL.md files with “Prerequisites”), including embedded prompt-injection instructions intended to coerce agents/users into running attacker-provided commands (e.g., curl-piped-to-shell patterns). Windows lures included GitHub-hosted password-protected ZIP archives (intended to evade scanning). macOS lures included base64-obfuscated terminal commands that decoded to curl-based downloads from attacker infrastructure and public paste/services (e.g., glot[.]io, rentry[.]co) to fetch second-stage payloads. A primary macOS payload observed was Atomic Stealer (AMOS), described as a commodity infostealer. Reported capabilities included stealing browser data, keychain data, SSH keys, Telegram data, API keys and secrets in .env files, and data from 60+ cryptocurrency wallets; AMOS also used techniques such as runtime string decryption and fake password prompts, performed recursive directory collection, and exfiltrated compressed archives to C2. Additional variants included Python skills using os.system to enable reverse shells hidden within otherwise functional code, and JavaScript skills exfiltrating .env files to webhooks. Some skills specifically targeted OpenClaw bot configuration secrets (e.g., ~/.clawdbot/.env containing AI service tokens). Follow-on activity included comment-based social engineering under popular ClawHub skills (e.g., Trello, Slack, Gog) directing users to malicious downloads/commands tied to campaign infrastructure. Shared infrastructure reported in multiple audits included 91.92.242[.]30; scripts fetched from this IP were described as removing macOS quarantine attributes and executing Atomic Stealer. Another reported exfiltration endpoint (from analysis of the top-ranked skill “What Would Elon Do?”) was https://clawbub-skill.com/log. Multiple third-party audits (Koi Security, Snyk, and reporting citing Cisco AI Defense scanning) described the activity as coordinated and at scale, enabled in part by weak publisher verification (e.g., only requiring a one-week-old GitHub account). Reported uploader accounts included “hightower6eu” (described as prolific, with 314+ malicious packages in one report) and others (sakaen736jih, moonshine-100rze, zaycv, aslaep123, jordanprater, noreplyboter, rjnpage, gpaitai, lvy19811120-gif, danman60, noypearl). The threat actors behind ClawHavoc were assessed in the content as potentially of Chinese origin (not stated as confirmed).