Beware: ClawHub Fake Fix Spreads Info-Stealing Malware
▼ Summary
– A new malware campaign on ClawHub delivers threats via malicious comments on popular, legitimate skills, not through fake skill downloads.
– The comment contains a Base64-encoded payload that downloads and executes the AMOS infostealer from a known malicious IP address.
– OpenClaw’s existing security scanning for skill packages does not detect this threat, as it is hidden within comments.
– The malicious IP has been previously linked to the ClawHavoc campaign, which also used skill documents to distribute malware.
– The comments target high-traffic skills, but the campaign is expected to be less successful due to increased user caution and security scrutiny.
A new and deceptive malware campaign is actively targeting users of ClawHub, the primary repository for skills that enhance the OpenClaw AI agent. This scheme cleverly bypasses traditional security checks by hiding malicious code not in a downloadable skill, but within seemingly helpful comments posted on popular, legitimate skills. Security researchers warn that this method poses a significant risk, as it exploits user trust and evades automated scanning systems designed to inspect skill packages.
The attack works by posting a troubleshooting comment on widely-used skills. At first glance, the comment appears to offer a solution to a common problem. In reality, it contains a Base64-encoded payload that acts as a malware loader. When decoded, this payload executes a command to fetch a shellcode loader from a known malicious IP address. The loader then removes macOS quarantine attributes and deploys the Atomic macOS (AMOS) infostealer, a piece of software designed to harvest sensitive information from infected systems.
This delivery method is particularly effective because ClawHub’s integrated security scanning, which is powered by VirusTotal, analyzes only the skill packages themselves. Comments are not scanned, allowing the malicious code to sit in plain sight. The research team at OpenGuardrails emphasized that encoding the payload within text significantly reduces the chance of detection by both users and automated security tools.
The infrastructure used in this attack has a known history. The IP address hosting the malware has been previously associated with the ClawHavoc malware distribution campaign. In that earlier incident, threat actors manipulated skill documentation to trick users into running a downloaded “agent” or pasting malicious Terminal commands, leading to the installation of Windows or macOS malware.
Currently, these malicious comments are appearing under some of the most downloaded skills on the platform, including those for popular services like Trello, Slack, and Google Drive. Several vigilant users and skill publishers have already identified the threat and are calling for the offending user account to be banned from the repository.
While this campaign represents a sophisticated shift in tactics, its overall impact may be limited compared to previous efforts. The OpenClaw user community is now more aware of security threats, and the broader cybersecurity community is monitoring the repository closely. This increased vigilance from both ends makes it harder for such deceptive tactics to succeed on a large scale. Staying informed about such threats is crucial for anyone using platforms where community contributions are a core feature.
(Source: HelpNet Security)
