Critical Flaw in OpenClaw’s ClawHub Marketplace Exposed Supply Chain Attack Risk Security researchers at Silverfort uncovered a severe vulnerability in OpenClaw’s ClawHub skills marketplace, enabling attackers to manipulate download rankings and push a malicious skill to the top of its category. The flaw, discovered in March 2026, allowed adversaries to artificially inflate a package’s popularity, tricking users and autonomous AI agents into installing it under the guise of legitimacy. ### How the Attack Worked ClawHub, OpenClaw’s public registry for agent-extending skills (e.g., email, calendar, or web search integrations), relies on download counts as a key trust signal. However, Silverfort found that a publicly exposed RPC endpoint intended for internal use lacked authentication, rate limiting, or permission checks. By exploiting this, attackers could arbitrarily boost a skill’s download count with automated requests, bypassing safeguards. To demonstrate the risk, researchers created a malicious "Outlook Graph Integration" skill, embedding a low-impact data-exfiltration payload. After flooding the system with fake downloads, the package surged to the #1 spot in its category within days. Real users and OpenClaw agents often running with high privileges installed it 3,900 times across 50+ cities, including within public companies, unwittingly leaking basic identity data (usernames, domain names) to a controlled server. ### Automated Trust Exploitation The attack’s danger was amplified by OpenClaw agents’ autonomous decision-making. When instructed to find the "best" tool for tasks like email management, agents consulted ClawHub’s rankings, favoring the manipulated skill due to its inflated download count. This created a self-reinforcing loop, where AI-driven recommendations further propagated the malicious package. ### Root Cause & Fix The vulnerability stemmed from a misconfigured backend function in ClawHub’s Convex-based infrastructure. A helper function meant for internal use was accidentally exposed as a public mutation, violating security best practices. Silverfort reported the issue on March 16, 2026, and OpenClaw deployed a fix within 24 hours, closing the exploit path. ### Broader Implications The incident highlights risks in reputation-based trust systems, where manipulated metrics can drive mass adoption of malicious software. It also underscores the need for strict security boundaries in RPC-centric backends, particularly in fast-evolving projects prioritizing speed over structured reviews. To mitigate future risks, Silverfort released ClawNet, an open-source security plugin that scans skills for suspicious patterns before installation, acting as a runtime guardrail for OpenClaw agents. The vulnerability has since been patched, but the case serves as a cautionary example of how supply chain attacks can exploit trust signals in AI ecosystems.

New "Hologram" Infostealer Campaign Targets Crypto Wallets and Password Managers via Fake OpenClaw Installer A sophisticated infostealer campaign, dubbed "Hologram," has been active since at least February 2026, targeting sensitive data stored in 250+ browser extensions tied to crypto wallets and password managers. The malware spreads via a fake installer for OpenClaw, a legitimate open-source AI assistant, hosted on a convincing typosquat domain (openclaw-installer[.]com), registered on March 9, 2026. ### How the Attack Works 1. Initial Infection - Victims download OpenClaw_x64[.]7z, a 130MB Rust-based executable padded with fake documentation to evade antivirus scans and bypass sandbox upload limits. - The dropper, named "Hologram" in its manifest, performs anti-analysis checks, including: - Scanning for virtual machine BIOS strings and suspicious software libraries. - Waiting for real mouse movement (automated sandboxes don’t trigger this). - If checks pass, it disables Windows Defender, opens firewall ports, and downloads six modular components from an attacker-controlled Azure DevOps repository. 2. Credential Theft & Persistence - The malware fetches a dynamic targeting list (hosted on Azure DevOps) covering: - 201 crypto wallets (MetaMask, Phantom, Coinbase, Ledger Live, etc.). - 49 password managers/authenticators (Bitwarden, LastPass, 1Password, Google Authenticator, etc.). - The list is remotely updatable, allowing attackers to expand targets without recompiling the malware. - Persistence mechanisms include: - Registry autoruns. - Windows logon hijacking. - Scheduled tasks. - Telegram-based droppers that survive even if the main implant is removed. 3. Evasive Infrastructure - Command-and-control (C2) servers are never hardcoded instead, the malware retrieves them from Telegram channel descriptions, allowing rapid rotation if domains are blocked. - Victim data (usernames, IPs, timestamps) is routed through Hookdeck, a legitimate webhook relay service, obscuring the attacker’s backend. - Researchers observed infrastructure rotation during analysis, with domains and IPs changing before findings were published. ### Key Indicators of Compromise (IoCs) - File Hashes: Multiple Rust-based droppers (e.g., `OpenClaw_x64[.]exe`, `svc_service[.]exe`) and secondary payloads (e.g., `onedrive_sync[.]exe`, `WinHealhCare[.]exe`). - Domains: - `openclaw-installer[.]com` (delivery). - `hkdk.events` (C2 relay via Hookdeck). - `dev.azure.com/sagonbretzpr` (payload staging). - Hijacked Brazilian law firm domain (`frr.rubensbruno.adv.br`) and others. - IPs: `193.202.84.14`, `45.55.35.48`, `188.114.97.3` (C2 beacons). - Registry Keys & Paths: - `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit` (logon hijack). - `C:\Users\Public\` (stage-2 binary drop location). - `%APPDATA%\Ledger Live` (targeted for wallet theft). ### Why This Campaign Stands Out - Advanced Evasion: Uses Rust-based malware, in-memory .NET assembly loading (via `clroxide`), and Telegram for C2 rotation. - Dynamic Targeting: The remote Git repository allows attackers to silently expand their target list without detection. - Persistence: Multiple layers of registry, scheduled tasks, and Telegram-based backdoors ensure long-term access. Researchers at Netskope Threat Labs identified this as a second, more advanced iteration of the campaign, following an earlier variant. The attack highlights the growing sophistication of infostealers, particularly in crypto and credential theft.

Cybersecurity Roundup: Trust Abuse, AI Risks, and Supply Chain Attacks Dominate Threat Landscape This week’s cybersecurity developments highlight a growing trend: attackers are increasingly exploiting trusted systems AI platforms, software updates, messaging apps, and open-source ecosystems to bypass security controls. Below are the key incidents and trends shaping the threat landscape. ### AI and Open-Source Ecosystems Under Siege OpenClaw, an open-source AI agent framework, has partnered with Google’s VirusTotal to scan uploaded "skills" (AI extensions) for malware, following discoveries of malicious components in its ClawHub marketplace. Researchers warn that AI agents’ broad permissions, persistent memory, and user-controlled configurations create risks like prompt injection, data exfiltration, and supply chain attacks. Trend Micro reported threat actors on Exploit.in discussing OpenClaw for botnet operations, while Veracode noted a surge in typosquatted "claw" packages on npm and PyPI from zero in early 2026 to over 1,000 by February. Meanwhile, MoltBook, an AI-driven social platform built on OpenClaw, faces scrutiny after Simula Research Laboratory identified 506 prompt injection attacks, social engineering exploits, and unregulated cryptocurrency activity comprising 19.3% of its content. The platform’s autonomous AI agents, which interact without human oversight, raise concerns about data privacy and manipulation risks. Security firm Pillar Security detected active scanning of exposed OpenClaw gateways (port 18789), with attackers bypassing AI layers to target the WebSocket API directly for authentication bypasses and command execution. Censys identified 21,639 exposed OpenClaw instances as of January 2026, underscoring the framework’s outdated trust model lacking encryption-at-rest and containerization. ### Supply Chain Attacks: Trusted Updates as Malware Vectors A sophisticated supply chain attack targeted Notepad++ between June and December 2025, where threat actors redirected its WinGUp updater to malicious servers. Despite losing access to a compromised hosting provider in September, attackers reused stolen credentials to maintain control until December. The campaign, attributed to Lotus Blossom, exploited weak update verification in older Notepad++ versions, demonstrating how legitimate domains can become malware distribution hubs. Similarly, Docker’s AI assistant (Ask Gordon) was found vulnerable to remote code execution (RCE) via DockerDash, a flaw in its Model Context Protocol (MCP) Gateway. Attackers could embed malicious instructions in Docker image metadata, which the AI assistant executed without validation. Docker patched the issue in version 4.50.0 (November 2025). ### State-Sponsored Threats and High-Profile Targets Germany’s BfV and BSI issued a joint advisory warning of state-sponsored phishing attacks via Signal, exploiting the app’s PIN and device-linking features to hijack accounts. Targets included high-ranking officials, military personnel, diplomats, and journalists across Germany and Europe. In Ukraine, the government implemented a Starlink terminal verification system after confirming Russian forces were using the technology on attack drones. Only registered devices are now permitted to operate in the country. ### DDoS, Botnets, and Emerging Attack Techniques The AISURU/Kimwolf botnet set a record with a 31.4 Tbps DDoS attack in November 2025, lasting just 35 seconds. Cloudflare mitigated the attack, which was part of a broader campaign ("The Night Before Christmas") starting in December. Overall, DDoS attacks surged 121% in 2025, averaging 5,376 mitigated attacks per hour. Researchers also uncovered 54 malicious npm packages using EtherHiding, a technique leveraging Ethereum smart contracts to fetch C2 servers, complicating takedown efforts. The malware targets Windows systems with 5+ CPUs, employing sandbox evasion, COM hijacking, and system profiling. ### Linux Threats and Post-Exploitation Frameworks Cyble discovered ShadowHS, a fileless Linux post-exploitation framework that runs entirely in memory, prioritizing stealth and long-term control. The framework includes modules for credential access, lateral movement, privilege escalation, and data exfiltration, with aggressive defensive tooling enumeration to avoid detection. ### Ransomware, Dark Markets, and Legal Actions - INC Ransomware suffered a setback after Cyber Centaurs breached its backup server, helping 12 victims recover data. The group, active since 2023, had listed over 100 victims on its leak site. - Rui-Siang Lin, administrator of the Incognito Market darknet drug marketplace, was sentenced to 30 years in prison for facilitating $105 million in narcotics sales to over 400,000 users. - Xinbi, a Telegram-based illicit marketplace, processed $17.9 billion in transactions, outlasting competitors like Haowang and Tudou Guarantee, which saw declines of 100% and 74%, respectively. ### Critical Vulnerabilities and Exploits Notable CVEs disclosed this week include: - CVE-2026-25049 (n8n) - CVE-2026-0709 (Hikvision Wireless Access Point) - CVE-2026-23795 (Apache Syncope) - CVE-2026-1591/1592 (Foxit PDF Editor Cloud) - CVE-2026-24512 (ingress-nginx) - Multiple CVEs in Django, Google Chrome, Cisco, TP-Link, F5 BIG-IP, and Arista NG Firewall Additionally, XBOW uncovered two Insecure Direct Object Reference (IDOR) flaws in Spree (CVE-2026-22588/22589), allowing unauthorized access to user address data. ### Microsoft’s AI Backdoor Scanner Microsoft developed a scanner to detect hidden backdoors in open-weight AI models, addressing risks for enterprises relying on third-party large language models (LLMs). The tool identifies three key indicators: 1. Attention shifts when a hidden trigger is present. 2. Leakage of poisoned training data. 3. Partial triggers still activating malicious responses. The scanner extracts memorized content from models and ranks suspicious substrings as potential triggers. ### Conclusion This week’s incidents underscore a shift in attacker tactics exploiting trust in ecosystems, AI workflows, and supply chains rather than relying on traditional malware. As threats evolve, organizations must monitor integrations, verify updates, and secure AI deployments to mitigate risks from both state-sponsored actors and cybercriminals.