Security researchers discovered a massive supply chain attack targeting users of OpenClaw, a self-hosted AI assistant, through its ClawHub marketplace.
The Scale of Deception
A security audit revealed that roughly one in eight ClawHub downloads could potentially steal user data.
A security audit by Koi Security uncovered 341 malicious skills hidden among 2,857 offerings on ClawHub—meaning roughly one in eight downloads could steal your data. These weren’t random spam uploads. The ClawHavoc campaign specifically targeted crypto traders, YouTube content creators, and finance professionals by mimicking legitimate tools they actually need.
How the Attack Weaponizes Trust
Fake prerequisites deploy AMOS stealer through seemingly legitimate skill installations.
The hackers exploited OpenClaw’s open upload policy with surgical precision. According to Koi’s Oren Yomtov, “You install what looks like a legitimate skill… But there’s a ‘Prerequisites’ section” that secretly downloads Atomic Stealer (AMOS). Skills masqueraded as Solana wallet trackers, Polymarket trading bots, and YouTube summarizers—exactly what crypto-savvy users running Mac Minis for 24/7 AI operations would want.
AMOS, sold as Malware-as-a-Service for $500-3000 monthly on Telegram, executes comprehensive data extraction. It steals:
- Your Keychain passwords
- Browser autofill data
- Crypto wallet files from Electrum and Binance
- Telegram message history
- VPN profiles
Researcher Paul McCarty noted the “sophisticated social engineering to steal crypto assets” specifically targeting high-value macOS users.
Your Data in the Crosshairs
The stealer specifically targets cryptocurrency and financial information stored on macOS systems.
This attack demolished the myth that Macs stay secure through obscurity. Your ~/.clawdbot/.env credentials, SSH keys, and browser-stored payment cards became prime targets. The malware uses reverse shells and fake system dialogs to bypass Gatekeeper and XProtect—Apple’s built-in security that most users assume protects them.
Quick Fixes and Lasting Problems
OpenClaw added reporting features while experts warn of deeper AI marketplace vulnerabilities.
OpenClaw creator Peter Steinberger implemented a community reporting system where users can flag suspicious skills (auto-hiding those with three or more reports). But Palo Alto Networks identified OpenClaw’s “lethal trifecta”—private data access, untrusted content, and external communications—that makes any open AI marketplace inherently risky.
The ClawHavoc campaign signals a disturbing trend: cybercriminals now view AI tool marketplaces like the Wild West of software supply chains. Criminal networks now target these platforms for sophisticated attacks. Before installing any AI marketplace tools, verify the publisher’s identity and check recent user reviews. Your enthusiasm for cutting-edge AI tools shouldn’t outweigh basic crypto security hygiene—especially when your crypto holdings are at stake.
