macOS Malware Campaign Exploits OpenClaw AI Skills

- The Atomic Stealer (AMOS) malware is sold as a Malware-as-a-Service (MaaS) and has been updated to include a backdoor, allowing attackers persistent access and the ability to execute arbitrary commands. This represents a significant escalation from its original data theft capabilities. - This campaign marks an evolution in distribution, shifting from cracked software to manipulating AI agent workflows. Malicious instructions hidden in `SKILL.md` files trick the AI agent into presenting a fake password dialog to the user, facilitating the infection. - The attackers uploaded hundreds of malicious skills to the ClawHub and SkillsMP repositories, some disguised as cryptocurrency tools, to carry out the supply chain attack. One analysis of over 2,800 skills on ClawHub found 341 to be malicious. - The AMOS variant used in this attack steals a wide array of data, including Apple Keychain contents, browser data from 19 different browsers, files from 150 cryptocurrency wallets, and messages from Telegram and Discord. - A recent security audit of the OpenClaw skills registry revealed systemic risks, finding that over 41% of more than 2,890 popular skills contained significant security vulnerabilities like command injection and credential exposure. - The OpenClaw framework's design has been criticized for structural flaws, such as storing API keys and other secrets in plaintext and having privileged access to host data while being open to untrusted inputs from the web and messaging apps. - A critical remote code execution vulnerability (CVE-2026-25253) was recently discovered in OpenClaw, which, combined with tens of thousands of publicly exposed instances, significantly amplifies the attack surface. - Historically, macOS malware distribution has often relied on social engineering, such as fake Adobe Flash Player installers (Flashback worm, 2012) or trojanized "cracked" applications, a method also previously used for AMOS distribution.