ClawHavoc: AMOS Infostealer Infiltrates OpenClaw AI Ecosystem via 341 Malicious Skills

A massive supply-chain attack dubbed “ClawHavoc” has compromised the popular OpenClaw AI assistant ecosystem, exposing thousands of macOS and Windows users to the Atomic macOS Stealer (AMOS). Researchers at Koi Security discovered 341 malicious “skills” on the ClawHub marketplace extensions designed to add functionality to OpenClaw agents that were actually Trojan horses for infostealers.

The campaign effectively weaponized the trust users place in open-source AI tools. By disguising malware as productivity boosters, cryptocurrency trackers, and YouTube summarizers, attackers tricked users into executing malicious code under the guise of installing “prerequisites.” This incident highlights a critical shift in cybercrime: the migration of malware distribution from static files to dynamic, agentic AI ecosystems.

The Mechanism of the Attack

The attack vector was deceptively simple yet highly effective. Users downloading skills like solana-wallet-tracker or youtube-summarize-pro from ClawHub were presented with a professional-looking documentation page. However, the installation instructions contained a fatal step:

• For macOS Users: The documentation required running a “dependency script” hosted on glot.io. This script executed a base64-encoded command that bypassed Apple’s Gatekeeper to download and install AMOS.
• For Windows Users: The instructions pointed to a password-protected ZIP file hosted on GitHub, which contained a keylogger and remote access trojan (RAT).

Once installed, AMOS begins exfiltrating sensitive data immediately. It targets iCloud Keychain passwords, browser cookies, session tokens, and over 60 types of cryptocurrency wallets including Exodus and Ledger Live.

“You install what looks like a legitimate skill… The skill’s documentation looks professional. But there’s a ‘Prerequisites’ section that says you need to install something first… By the time users realize something is wrong, the malware has already executed.” Oren Yomtov, Security Researcher at Koi Security

Broader Implications: The Flare Report

The timing of ClawHavoc coincides with new findings from Flare, which released its 2026 State of Enterprise Infostealer Exposure report this week. The report paints a grim picture of how these infections are no longer just consumer annoyances but enterprise-level threats.

According to Flare, 1 in 5 infostealer infections now exposes enterprise credentials. As organizations move toward centralized identity providers (IdPs) like Okta and Microsoft Entra ID, a single infection on an employee’s personal device—such as a Mac mini running an OpenClaw agent—can hand attackers the keys to the entire corporate kingdom.

“Centralized identity has become the control plane of the modern enterprise. What this data shows is that attackers understand that shift very well. When an infostealer infection succeeds today, it’s increasingly likely to deliver direct access to the systems organizations depend on most.” Estelle Ruellan, Cybersecurity Researcher at Flare

Breakdown of Malicious Skills

The attackers focused heavily on high-value financial targets. The breakdown of the 341 discovered malicious skills reveals a clear targeting strategy:

Technical Analysis: AMOS Evolution

Atomic macOS Stealer has evolved significantly since its emergence in 2023. The variant deployed in ClawHavoc utilizes advanced evasion techniques:

• AppleScript Spoofing: It uses native macOS prompts to ask for the system password, which unsuspecting users often provide, thinking it is required for the “skill” installation.
• Obfuscation: The payload is XOR-encrypted to evade static signature detection by antivirus software.
• Persistence: Unlike earlier versions, this variant installs a LaunchAgent to ensure the malware restarts every time the user logs in.

Comparison: Traditional Malware vs. AI Supply Chain Attacks

Frequently Asked Questions