Nik Kale
Nik Kale
Building Intelligent Systems That Operate Themselves Securely
⌘K
Subscribe Sign in
Nik Kale
Agentic Systems

The npm Nightmare Just Repeated Itself in AI Agents. It’s Worse This Time.

1,184 malicious skills infiltrated ClawHub, the plugin marketplace for the OpenClaw agent framework, reaching 20% of the ecosystem in weeks. Unlike npm packages, agent plugins run with full system permissions. The supply chain playbook broke because the blast radius changed.
The npm Nightmare Just Repeated Itself in AI Agents. It’s Worse This Time.

On January 27, 2026, someone uploaded a skill called “solana-wallet-tracker” to ClawHub, the community marketplace for OpenClaw, the open-source AI agent framework that had racked up over 180,000 GitHub stars in a matter of weeks. The skill’s documentation looked professional. The README was clean. The GitHub account behind it was a week old, which was the only barrier to entry.

Within four days, 230 more malicious skills appeared. By mid-February, the count hit 824. By late February, China’s Antiy CERT confirmed the final tally: 1,184 malicious skills, roughly one in five packages in the entire ecosystem. The campaign, dubbed ClawHavoc by Oren Yomtov at Koi Security, had turned an AI agent marketplace into a malware distribution hub faster than any software supply chain attack in recent memory.

If you’ve been through the npm and PyPI poisoning wars, this story has a familiar shape. But the ending is different. And worse.

What OpenClaw actually is, and why it matters

For the unfamiliar: OpenClaw (previously known as Clawdbot, then Moltbot, then OpenClaw, all within about three months) is a self-hosted AI agent that connects to your messaging apps, your filesystem, your terminal, and your calendar. It executes shell commands, modifies files, manages OAuth tokens, and stores persistent memory across sessions. It talks to Claude, GPT, or DeepSeek on the backend and acts on your behalf through WhatsApp, Telegram, Slack, Discord, and iMessage.

The architecture follows a gateway-plus-control-UI model. The gateway handles LLM communication and task execution on the host system. The control UI serves a browser-based management panel, typically on TCP port 18789. Functionality extends through “skills,” modular packages published to ClawHub, a community marketplace that functions like npm or a browser extension store.

Here is the critical difference between a traditional software package and an OpenClaw skill: npm packages run in a sandboxed Node.js process with limited system access. OpenClaw skills run with the full permissions of the AI agent itself, which typically means full disk access, terminal permissions, and OAuth tokens for every connected service. A malicious npm package can do damage. A malicious OpenClaw skill can read your email, execute terminal commands, exfiltrate your credentials, and send messages on your behalf.

That distinction changes the economics of supply chain attacks entirely.

ClawHavoc: anatomy of the campaign

Koi Security’s audit of all 2,857 skills on ClawHub at the time of investigation found 341 malicious entries. Of those, 335 traced to a single coordinated operation. The skills masqueraded as high-demand tools across predictable categories: cryptocurrency trading bots (Solana wallets, Polymarket traders), YouTube utilities, Google Workspace integrations, and auto-updaters.

“You install what looks like a legitimate skill, maybe solana-wallet-tracker or youtube-summarize-pro,” Yomtov wrote in Koi’s disclosure. “The skill’s documentation looks professional.”

The attack pattern was not technically sophisticated. It didn’t need to be. The skills used social engineering baked into their own documentation. Fake “prerequisites” sections instructed users to execute terminal commands or download “helper tools” from attacker-controlled domains. Trend Micro’s analysis, published February 23, documented 39 additional skills that manipulated OpenClaw into installing a fake CLI tool that delivered the Atomic macOS Stealer (AMOS), a malware-as-a-service product designed to harvest Apple keychains, browser credentials, SSH keys, and crypto wallets.

Sailesh Mishra and Sean P. Morgan, researchers at Palo Alto Networks, connected the threat to OpenClaw’s persistent memory capability. “With persistent memory, attacks are no longer just point-in-time exploits. They become stateful, delayed-execution attacks,” they wrote. “Malicious payloads no longer need to trigger immediate execution on delivery.”

That observation deserves emphasis. A poisoned skill doesn’t have to detonate immediately. It can fragment instructions across memory, wait for the right conditions, and execute later. The attack surface isn’t just what the skill does on install. It’s what the agent does over time.

The numbers kept getting worse

By mid-February, Bitdefender’s independent analysis placed the malicious count at approximately 900 packages, roughly 20% of the total ecosystem. The company’s technical advisory provided something the other reports didn’t: concrete evidence that employees were deploying OpenClaw on corporate devices, often with a single-line install command and no SOC visibility.

Bitdefender identified 14 users contributing malicious content to ClawHub. One account, hightower6eu, uploaded 354 malicious packages. Another, davidsmorais, was an established GitHub account from 2016 that uploaded a mix of clean and malicious skills, a hallmark of account takeover. The account sakaen736jih was observed submitting new malicious skills every few minutes, suggesting automated deployment scripts.

Meanwhile, SecurityScorecard identified 135,000 OpenClaw instances exposed to the public internet. Of those, over 12,800 were directly exploitable via CVE-2026-25253, a one-click remote code execution vulnerability with a CVSS score of 8.8, patched in version 2026.1.29 but still unpatched across thousands of deployments.

The vulnerability was discovered by Mav Levin of the depthfirst research team. It was one of nine CVEs disclosed in rapid succession between late January and early February 2026. Five security advisories in under a week, for a project that had become one of the most-starred repositories on GitHub.

Token Security reported that 22% of its enterprise customers had employees actively using the tool, likely without IT approval.

Why this is not just npm again

The comparison to npm is useful but incomplete. The core pattern is identical: open registry, no code signing, no sandboxing, no automated scanning, and a community moderation model that cannot scale to meet attacker velocity. Gartner predicted in 2021 that 45% of organizations would experience software supply chain attacks by 2025. That prediction was based on the npm and PyPI model. ClawHub proved the prediction was too conservative for AI agent ecosystems.

But the blast radius is categorically different, and I say this as someone who architects agent systems at enterprise scale.

A malicious npm package typically has access to the build environment and whatever secrets are in the CI/CD pipeline. A malicious OpenClaw skill has access to everything the agent has access to: your email, your filesystem, your messaging apps, your OAuth tokens, your terminal, and your persistent memory. The skill doesn’t need to escalate privileges. The agent already has them.

The speed differential matters too. The original npm left-pad incident in 2016 and the ua-parser-js compromise in 2021 unfolded over days and weeks. ClawHavoc went from zero malicious skills to 20% registry penetration in approximately four weeks. The campaign scaled faster because the barrier to entry was lower (one-week-old GitHub account), the tooling for mass publication was simpler (automated upload scripts), and the incentive structure was richer (agent credentials are worth more than build-time secrets because they provide ongoing access to the user’s entire digital life).

Paul McCarty, a vulnerability researcher who independently identified 386 malicious ClawHub skills between February 1-3, documented the response gap. When he contacted the OpenClaw team about the malicious packages, he reported that creator Peter Steinberger said he had too much to do to address the issue. When the project maintainer is overwhelmed and the attacker is automated, the outcome is predetermined.

Simon Willison, the security researcher who coined the term prompt injection, described this architectural reality as the “lethal trifecta” for AI agents: access to private data, exposure to untrusted content, and the ability to communicate externally. Palo Alto Networks extended the metaphor: persistent memory acts as an accelerant, turning the trifecta into a time-bomb. When all three capabilities coexist in a system that also remembers, a single poisoned input can fragment across sessions and detonate when conditions align.

ClawHub is what happens when that architecture meets an unvetted marketplace.

The vulnerability cascade

While the supply chain poisoning was the highest-impact problem, it ran in parallel with a cascade of framework-level vulnerabilities that compounded the risk.

CVE-2026-25253, discovered by Mav Levin of DepthFirst, was a one-click remote code execution chain exploitable even against localhost-bound instances. It carried a CVSS 8.8 score and was patched in version 2026.1.29 on January 30, 2026. But it was only the first in a series. CVE-2026-25157 and CVE-2026-24763, both command injection vulnerabilities, were disclosed days later. Two more advisories followed on February 4. By late February, the total had climbed past nine CVEs, including server-side request forgery, authentication bypass, and path traversal.

Kaspersky’s initial audit of the OpenClaw codebase found 512 vulnerabilities, eight of which were classified as critical. That’s before the supply chain issues.

Endor Labs provided additional context in late February by documenting a “ClawJacked” vulnerability that allowed malicious websites to hijack local OpenClaw agents via WebSocket. And Eye Security discovered a log poisoning vulnerability that allowed attackers to embed indirect prompt injections by writing to OpenClaw’s log files via WebSocket requests to a publicly accessible instance. “If the injected text is interpreted as meaningful operational information rather than untrusted input, it could influence decisions, suggestions, or automated actions,” Eye Security’s researchers wrote.

The cumulative picture: a framework with critical RCE vulnerabilities, a marketplace with 20% malicious packages, 135,000 internet-exposed instances, and a log system susceptible to prompt injection. Every layer of the stack was compromised simultaneously.

The governance vacuum

ClawHub’s moderation model at the time of the campaign was minimal. Anyone with a GitHub account at least one week old could publish a skill. There was no automated static analysis, no code signing, no sandboxing, and no review process. After the crisis, OpenClaw’s creator Peter Steinberger introduced a reporting feature allowing signed-in users to flag skills. Skills with more than three unique reports were auto-hidden. Each user could file up to 20 active reports at a time.

This is reactive moderation against automated attacks. The math doesn’t work. When one attacker can submit a new malicious skill every few minutes via automated scripts, and removal requires three separate human reports, the economics favor the attacker by several orders of magnitude.

Snyk’s ToxicSkills analysis added another dimension: 36% of all ClawHub skills contained detectable prompt injection. Not malware in the traditional sense, but instructions embedded in skill documentation that could manipulate the agent into taking unintended actions. Even the “clean” packages weren’t necessarily safe.

As one of OpenClaw’s own maintainers put it in the project’s Discord, in a statement quoted by Conscia: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.” That’s candid, but it’s not a security model.

Thoughtworks went further, restricting OpenClaw on their managed systems entirely. Their security team’s assessment was blunt: “We’re still in the early days. The tooling for agent observability isn’t mature, the patterns aren’t proven and the telemetry standards are still emerging. For now, the most important advice is the simplest: don’t connect these agents to sensitive data or high-stakes operations.”

Microsoft’s Defender Security Research Team issued an advisory that cut through the noise: “Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation.”

When Microsoft tells you not to run something on a standard workstation, and 22% of enterprise employees are running it anyway, you have a shadow AI problem that no policy can solve retroactively.

I spend my days architecting AI agent systems for enterprise environments. I know exactly what happens when convenience and capability outpace governance: shadow deployment at scale, credential sprawl, and an attack surface nobody mapped because nobody knew it existed. The OpenClaw crisis is not a story about one open-source project’s security failures. It’s a preview of what happens to every AI agent ecosystem that ships extensibility before shipping security.

What this means for enterprise teams building agent systems

The ClawHavoc campaign exposed a gap that every organization building AI agent capabilities needs to address, whether they use OpenClaw or not.

First, your software supply chain governance was designed for libraries, not for agents. npm packages execute code in a process. AI agent plugins execute code with delegated authority. The difference in blast radius requires a different governance model: mandatory code review, allowlisted capabilities, sandboxed execution, and runtime monitoring. The same controls you apply to deploying a new microservice in production should apply to installing a new skill or plugin in an AI agent.

Second, agent registries are now a tier-one attack surface. Any system that allows third-party extensions to an AI agent, whether it’s an MCP server registry, a skill marketplace, or a plugin ecosystem, inherits the same structural vulnerability that ClawHub exposed. If your internal teams are building agent extensibility, they need to answer the same questions that ClawHub couldn’t: who reviews submissions, what execution sandbox exists, and what happens when a malicious extension is discovered?

Third, shadow AI agent deployment is already happening in your organization. Token Security’s finding that 22% of enterprise customers had employees running OpenClaw without IT approval is not an outlier. It’s the leading edge of a pattern. Your SOC needs a discovery mechanism for AI agent frameworks, and your security policy needs to address them explicitly.

Fourth, the naming churn itself creates attack surface. OpenClaw has been called Clawdbot, Moltbot, and OpenClaw within three months. Joe Kelley, an AI security researcher quoted in Infosecurity Magazine’s coverage, noted that this rapid rebranding “creates ideal conditions for confusion attacks like impersonation, typosquatting and fake repositories.” When the legitimate project can’t keep a stable name, distinguishing official packages from impersonation becomes nearly impossible at scale.

What to do Monday morning

Here are five actions, none of which require buying anything:

Scan your network for OpenClaw instances. Check for TCP port 18789 (the default control UI port) and look for the binary signatures and process names associated with OpenClaw, Moltbot, and Clawdbot. All three names have been used for the same project.

If you find instances, isolate them immediately and revoke every API key, OAuth token, and credential configured in the agent’s environment files (~/.clawdbot/.env, ~/.openclaw/credentials/). Assume compromise until proven otherwise.

Create an organizational policy on AI agent frameworks that names which are approved and which are prohibited. If the policy doesn’t exist, the default is whatever individual employees decide to install.

Audit any internal AI tool registries, MCP server directories, or agent plugin systems for the same architectural vulnerabilities that made ClawHub exploitable: no moderation, no signing, no sandboxing, and no automated scanning.

Implement network-level monitoring for unexpected outbound connections from AI agent processes. The ClawHavoc campaign exfiltrated credentials to webhook.site and attacker-controlled domains. That traffic is detectable if you’re looking for it.

The pattern that should concern you most

OpenClaw went from zero to 180,000 GitHub stars in weeks. ClawHub went from zero to 20% malicious in about the same timeframe. The adoption curve for AI agent tools is steep. The security maturity curve is flat.

Every AI agent framework that ships with an extensibility model will face this test. The question is whether the governance infrastructure arrives before or after the first large-scale poisoning campaign. For OpenClaw, it arrived after.

The organizations that learn from ClawHavoc won’t be the ones that ban AI agent tools. They’ll be the ones that build the registry governance, sandboxing, and monitoring infrastructure before their employees find the next ClawHub.

The supply chain nightmare didn’t repeat because open-source security is broken. It repeated because the AI agent ecosystem rebuilt the same architecture, with broader system access, and assumed the old governance models would still hold.

They didn’t.

More like this

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An AI Agent Just Pwned Trivy, Microsoft, and DataDog in One Week

An autonomous AI agent scanned 47,000+ repositories, identified vulnerable CI/CD configurations, and compromised projects from Microsoft, DataDog, and Aqua Security using five distinct techniques. The only target that survived was defended by another AI agent.
Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

Palo Alto’s Unit 42 Just Found a Way to Hijack AI Agent Conversations - And Your Users Can’t See It Happening

In November 2025, Palo Alto Networks’ Unit 42 research team published a new attack technique they called “Agent Session Smuggling.” The attack exploits a fundamental property of multi-agent systems: agents remember their recent conversations.
What 170,000 Users Taught Me About AI Trust at Scale

What 170,000 Users Taught Me About AI Trust at Scale

What I learned over the next three years, serving 170,000 users across dozens of products, changed my understanding of what AI systems actually need to work.
What 3 AM War Rooms Taught Us About Designing Multi-Agent AI

What 3 AM War Rooms Taught Us About Designing Multi-Agent AI

We went from “trust me” AI to “show me” AI. And that distinction, it turns out, is what makes engineers willing to actually use the system instead of just running their own investigation in parallel.
36.7% of MCP Servers May Be Vulnerable to SSRF - The Supply Chain Crisis Nobody's Talking About

36.7% of MCP Servers May Be Vulnerable to SSRF - The Supply Chain Crisis Nobody's Talking About

Analysis suggests over a third of MCP servers may be vulnerable to server-side request forgery. The MCP ecosystem has a supply chain problem: rapid adoption without security review created a vulnerability surface that scales with every new deployment.
Researchers Just Proved That Making AI Agents Collaborate Better Makes Them Leak More Data

Researchers Just Proved That Making AI Agents Collaborate Better Makes Them Leak More Data

Every connection between AI agents creates both capability and exposure. The trust-vulnerability paradox formalizes what practitioners have observed: multi-agent collaboration scales risk faster than it scales value without trust budgeting.