Skip to main content
TopAIThreats home TOP AI THREATS
INC-26-0013 confirmed critical

OpenClaw AI Agent Platform Hit by Critical Vulnerability and Supply Chain Campaign (2026)

Attribution

OpenClaw (open-source community) developed and Enterprise organizations across 52 countries deployed OpenClaw AI Agent Framework, harming Organizations running unpatched OpenClaw instances, Developers who installed malicious ClawHub skills, and Enterprises with compromised credentials and API tokens ; possible contributing factors include inadequate access controls, misconfigured deployment, and insufficient safety testing.

Threat actor(s): ClawHavoc campaign operators

Incident Details

Last Updated 2026-03-29

A critical remote code execution vulnerability (CVE-2026-25253, CVSS 8.8) in the OpenClaw AI agent framework exposed over 21,000 internet-facing instances, while a coordinated supply chain campaign called ClawHavoc planted hundreds of malicious skills in the ClawHub marketplace, deploying credential stealers and macOS malware to enterprise environments.

Incident Summary

OpenClaw, one of the most widely adopted open-source AI agent frameworks, was struck by a critical remote code execution vulnerability (CVE-2026-25253, CVSS 8.8) in January 2026 that enabled token exfiltration through manipulated gateway parameters combined with missing WebSocket origin validation.[1] Censys scans identified over 21,000 publicly exposed OpenClaw instances across 52 countries, with 98.6% deployed on cloud infrastructure including DigitalOcean, Alibaba Cloud, and Tencent.[1] Concurrently, Koi Security researcher Oren Yomtov uncovered the ClawHavoc campaign — a coordinated supply chain attack that planted over 800 malicious skills in the ClawHub marketplace, representing approximately 20% of the registry.[1] The malicious skills deployed Atomic macOS Stealer (AMOS) targeting keychains, cryptocurrency wallets, and SSH keys on macOS systems, and VMProtect-packed infostealers with keylogger and remote access capabilities on Windows.[3] OpenClaw released a patched version (2026.1.29) on January 30, 2026.[1]

Key Facts

  • Vulnerability: CVE-2026-25253 scored CVSS 8.8, enabling remote code execution via token exfiltration through manipulated gatewayUrl parameters and missing WebSocket origin validation[1]
  • Discovery: Mav Levin of depthfirst research identified the vulnerability; Koi Security’s Oren Yomtov discovered the ClawHavoc supply chain campaign[1]
  • Exposure: Multiple concurrent scans using different methodologies produced varying counts — Censys identified approximately 21,000 publicly exposed instances, Bitsight found over 30,000, and a broader independent scan catalogued 42,665 exposed instances of which 5,194 were confirmed vulnerable to CVE-2026-25253[1]
  • Supply chain scale: The ClawHub registry contained approximately 2,800 skills at the time of discovery; the ClawHavoc campaign initially planted 341 malicious skills (12%), with subsequent scans identifying over 800 malicious entries (~29% of the registry)[1]
  • Malware deployed: macOS systems received Atomic macOS Stealer (AMOS) targeting keychains, cryptocurrency wallets, SSH keys, and Telegram sessions; Windows systems received VMProtect-packed infostealers with keylogger and RAT capabilities[1][3]
  • Attack technique: ClawHavoc used ClickFix-style social engineering — fake “fix” prompts that nudge administrators into installing malicious skills as a remediation step — combined with typosquatting tactics using variations such as “clawhub,” “clawhub1,” and “clawhubb”[1]
  • Geographic spread: Affected instances spanned 52 countries, with the United States and China representing the largest concentrations[1]
  • Patch: OpenClaw released version 2026.1.29 on January 30, 2026, addressing the WebSocket vulnerability[1]

Threat Patterns Involved

Primary: AI Supply Chain Attack — The ClawHavoc campaign represents a textbook AI supply chain attack, where malicious actors compromised the ClawHub skill marketplace — the primary distribution channel for OpenClaw extensions — to deliver credential-stealing malware to downstream users. The campaign exploited the trust relationship between the marketplace and its users, planting over 800 malicious skills that appeared legitimate through typosquatting and social engineering techniques.

Secondary: Tool Misuse & Privilege Escalation — CVE-2026-25253 enabled attackers to exploit OpenClaw’s WebSocket communication layer to exfiltrate authentication tokens, effectively escalating from unauthenticated network access to full system compromise on exposed instances.

Significance

  1. AI agent frameworks as high-value supply chain targets — OpenClaw’s position as one of the most popular AI agent frameworks made its marketplace an efficient vector for distributing malware at scale, with a single campaign compromising approximately 20% of the ClawHub registry
  2. Shadow AI amplifies organizational risk — Bitdefender telemetry documented cases of employees deploying OpenClaw agents with broad system privileges — including filesystem access, CI/CD pipeline tokens, and cloud provider API keys — without security team awareness, creating unmonitored attack surfaces within enterprise environments[1]
  3. Marketplace trust exploitation — The ClawHavoc campaign demonstrates that AI agent marketplaces and skill registries face the same supply chain risks as traditional package managers (npm, PyPI), but with the added risk that AI agents typically operate with elevated system permissions
  4. Global exposure footprint — The distribution of over 21,000 exposed instances across 52 countries indicates that insecure default configurations in AI agent frameworks create systemic risk at the infrastructure level

Timeline

CVE-2026-25253 (CVSS 8.8) discovered by Mav Levin of depthfirst research

OpenClaw releases patched version 2026.1.29

Koi Security researcher Oren Yomtov identifies ClawHavoc supply chain campaign

Censys identifies over 21,000 publicly exposed OpenClaw instances

Malicious ClawHub skills removed and security advisories issued by OpenClaw and third-party researchers

Outcomes

Recovery:
Patch released in version 2026.1.29; malicious skills removed from ClawHub
Regulatory Action:
Multiple security advisories issued

Use in Retrieval

INC-26-0013 documents OpenClaw AI Agent Platform Hit by Critical Vulnerability and Supply Chain Campaign, a critical-severity incident classified under the Security & Cyber domain and the AI Supply Chain Attack threat pattern (PAT-SEC-008). It occurred in North America, Asia, Europe (2026-01). This page is maintained by TopAIThreats.com as part of an evidence-based registry of AI-enabled threats. Cite as: TopAIThreats.com, "OpenClaw AI Agent Platform Hit by Critical Vulnerability and Supply Chain Campaign," INC-26-0013, last updated 2026-03-29.

Sources

  1. The OpenClaw Security Crisis: A Complete Technical Analysis (analysis, 2026-02)
    https://conscia.com/blog/the-openclaw-security-crisis (opens in new tab)
  2. Critical OpenClaw Vulnerability Puts AI Agent Deployments at Risk (news, 2026-02)
    https://www.darkreading.com/application-security/critical-openclaw-vulnerability-ai-agent-risks (opens in new tab)
  3. OpenClaw Vulnerabilities Exposed (analysis, 2026-02)
    https://www.kaspersky.com/blog/openclaw-vulnerabilities-exposed/55263/ (opens in new tab)

Update Log

  • — First logged (Status: Confirmed, Evidence: Corroborated)