Hacking Groups Target OpenClaw AI Framework in Mass Attacks

Home » News
Yash Shield
News
Reading time icon 2 min. read

Calendar icon Published on

Multiple hacking groups now exploit OpenClaw instances to steal API keys and drop malware. Over 30,000 compromised setups spread stealers via Telegram channels. The open-source AI agent gained fame in late January 2026 but fell to attacks within 72 hours.

OpenClaw gives agents full system access, memory, and service links. This design drew threat actors fast. Key flaws include CVE-2026-25253 for remote code execution plus supply chain tricks. Default port 18789 stays wide open on many installs. Shodan found 312,000+ exposed units by February 18.

BEST WINTER DEALS
Editor's Choice
Private Internet Access

Access content across the globe at the highest speed rate.

70% of our readers choose Private Internet Access

70% of our readers choose ExpressVPN

ExpressVPN

Browse the web from multiple devices with industry-standard security protocols.
Nord VPN

Faster dedicated servers for specific actions (currently at summer discounts)

Attackers hit admin panels with no auth checks. Misconfigured proxies treat outside traffic as local. Full control follows. Honeypots catch probes in minutes.

ClawHavoc Campaign Details

ClawHavoc kicked off January 29 under “Hightower6eu” on GitHub. Fake setup scripts pushed Atomic Stealer for macOS and Windows keyloggers. Victims thought they grabbed crypto tools.

Malware pulls browser data, cloud creds, and Keychain files. ClickFix tricks users into self-infection via guides. Enterprise lateral moves tap OpenClaw memory.

Second wave hit ClawHub marketplace. No code review let backdoored skills run shell commands. OAuth tokens and passwords flow out live.

Key Vulnerabilities

CVE IDCVSS ScoreTypeImpact
CVE-2026-252538.8RCE via WebSocketFull gateway control​
CVE-2026-263227.6SSRFInternal access pivot​
CVE-2026-263197.5Missing authWebhook takeover​

Patches rolled for most by version 2026.1.29. Exposed instances topped 549 with breach signs.

Attack Vectors

  • Exposed localhost via bad proxies grants admin rights.
  • Malicious links leak auth tokens through browser pivots.
  • Poisoned skills execute remotes sans checks.
  • No auth on default port invites scans.

Flare advisory: “Secure API keys. Isolate workloads now.”

Protection Steps

  • Bind services to localhost only. Block port 18789 public.
  • Add auth to all admin interfaces.
  • Vet ClawHub skills from trusted sources.
  • Scan for malware from fake setups.

FAQ

What is OpenClaw?

Open-source AI agent framework from Peter Steinberger, now OpenAI.

How many instances got hit?

Over 30,000 confirmed. 312,000+ exposed via Shodan.

What is CVE-2026-25253?

RCE letting attackers run commands via malicious links. Patched in 2026.1.29.

How do attacks spread?

Fake GitHub scripts, poisoned ClawHub skills, exposed panels.

What data gets stolen?

API keys, OAuth tokens, chats, passwords, browser creds.

Yash

Yash Shield

I am a Business Analytics student with a strong interest in publishing well-researched and data-driven news articles. I focus on analyzing trends in business, finance, and technology to create clear, accurate, and engaging content for readers. I enjoy transforming complex data and information into simple, meaningful stories that help audiences understand current developments. With analytical thinking and attention to detail, I aim to deliver credible and insightful news that adds real value to readers.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages