Malware Hits AI Agent Platform

- A coordinated campaign dubbed "ClawHavoc" accounted for 335 of the 341 malicious skills discovered. The primary payload was the Atomic macOS Stealer (AMOS), a type of malware-as-a-service designed to harvest browser credentials, keychain passwords, and cryptocurrency wallet information. - Attackers used social engineering within the skill documentation, instructing users to install a "prerequisite" which was actually the malware. They also employed typosquatting, using names that closely resembled legitimate and popular tools to trick users into accidental installations. - The malicious skills were often disguised as high-demand tools, including cryptocurrency wallets, YouTube utilities, and integrations for platforms like Polymarket and Google Workspace, to maximize their reach. - The security audit that uncovered the malware was conducted by researchers at Koi Security, who analyzed all 2,857 skills available on ClawHub at the time. - In response to the findings, OpenClaw has partnered with Google's VirusTotal to automatically scan all new and existing skills on ClawHub for malicious code. Skills flagged as malicious are blocked, while suspicious ones are displayed with a warning. - The incident highlights a significant vulnerability in the AI agent ecosystem, where the design of platforms like OpenClaw can grant agents extensive system access to execute commands and handle files, creating a powerful new attack surface. - Beyond stealing user credentials, some of the malicious skills were designed to exfiltrate the AI agent's own credentials from configuration files or even open a reverse shell, giving the attacker full remote control over the user's system. - This event is part of a larger trend of threat actors abusing legitimate platforms to distribute malware and targeting the AI software supply chain through methods like data poisoning and compromising code libraries.