Executive Summary
In early 2026, the OpenClaw AI agent ecosystem experienced a significant supply chain attack. Malicious actors uploaded over 800 compromised skills to ClawHub, OpenClaw's official skill marketplace, embedding infostealers and enabling agentic financial fraud. This breach exposed more than 135,000 instances, highlighting critical vulnerabilities in AI agent platforms. The incident underscores the urgent need for enhanced security measures in AI supply chains, as attackers increasingly exploit these platforms to distribute malware and conduct sophisticated cyber operations.
Why This Matters Now
The OpenClaw incident exemplifies the growing threat of supply chain attacks targeting AI ecosystems. As AI agents become more integrated into critical operations, ensuring their security is paramount to prevent widespread exploitation and data breaches.
Attack Path Analysis
Attackers exploited vulnerabilities in OpenClaw's skill marketplace, ClawHub, to distribute malicious skills that compromised user systems. Upon installation, these skills escalated privileges by disabling user confirmation prompts and escaping container sandboxes. The malware then moved laterally within the victim's environment, accessing sensitive files and services. It established command and control channels to exfiltrate data and receive further instructions. Sensitive information, including authentication tokens and financial data, was exfiltrated to attacker-controlled servers. The attack resulted in unauthorized financial transactions and potential system disruptions.
Kill Chain Progression
Initial Compromise
Description
Attackers uploaded malicious skills to ClawHub, exploiting vulnerabilities in OpenClaw's skill marketplace to distribute malware.
Related CVEs
CVE-2026-25253
CVSS 8.8A token exfiltration vulnerability in OpenClaw's Control UI allows remote attackers to execute arbitrary code by tricking users into clicking a malicious link.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
exploited in the wildCVE-2026-24763
CVSS 8.8A command injection vulnerability in OpenClaw's Docker PATH handling allows attackers to execute arbitrary commands on the host system.
Affected Products:
OpenClaw OpenClaw – < 2026.2.15
Exploit Status:
exploited in the wildCVE-2026-25157
CVSS 7.5An OS command injection vulnerability in OpenClaw allows attackers to execute arbitrary commands on the host system.
Affected Products:
OpenClaw OpenClaw – < 2026.2.20
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Compromise Software Supply Chain
Obtain Capabilities: Artificial Intelligence
Application Layer Protocol: Web Protocols
Command and Scripting Interpreter: PowerShell
Modify Registry
OS Credential Dumping: LSASS Memory
Exfiltration Over C2 Channel
Data Encrypted for Impact
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Application Security
Control ID: 500.08
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Data Security
Control ID: Pillar 3: Data
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI skill marketplace supply chain attacks targeting agentic systems create critical vulnerabilities in software development pipelines and automated coding frameworks.
Financial Services
Agentic financial fraud through malicious AI skills poses severe risks to automated trading systems, fraud detection algorithms, and customer service bots.
Information Technology/IT
ClawHub's evasive infostealer deployment bypassing automated scanners threatens IT infrastructure security and AI-powered network management systems across organizations.
Computer/Network Security
Security vendors face direct threat from AI supply chain attacks that evade detection systems while deploying advanced infostealers through trusted marketplaces.
Sources
- OpenClaw’s Skill Marketplace and the Emerging AI Supply Chain Threathttps://unit42.paloaltonetworks.com/openclaw-ai-supply-chain-risk/Verified
- The OpenClaw Crisis: 800+ Malicious Skills, 135K Exposed Instances, and the Biggest AI Agent Security Breach of 2026https://agentmarketcap.ai/blog/2026/04/05/openclaw-crisis-supply-chain-attacks-agent-security-breach-2026Verified
- ClawHavoc Explained: Inside the Largest AI Skills Supply Chain Attackhttps://openclaw.nasseroumer.com/blog/clawhavoc-supply-chain-attack/Verified
- OpenClaw Marketplace Flooded with 341 Malicious Skills in Major Supply Chain Attackhttps://www.secureblink.com/cyber-security-news/open-claw-marketplace-flooded-with-341-malicious-skills-in-major-supply-chain-attackVerified
- Cline CLI 2.3.0 Supply Chain Attack: OpenClaw Unauthorized Installation on Developer and CI/CD Systemshttps://www.rescana.com/post/cline-cli-2-3-0-supply-chain-attack-openclaw-unauthorized-installation-on-developer-and-ci-cd-systeVerified
- OpenClaw AI hub faces wave of poisoned plugins, SlowMist warnshttps://cointelegraph.com/news/openclaw-ai-plugin-hub-supply-chain-poisoningVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The CNSF may have limited the reach of malicious uploads by enforcing strict identity-based policies, potentially reducing the distribution of unauthorized skills.
Control: Zero Trust Segmentation
Mitigation: Zero Trust Segmentation could have constrained the malware's ability to escalate privileges by enforcing strict access controls, potentially limiting unauthorized privilege gains.
Control: East-West Traffic Security
Mitigation: East-West Traffic Security could have limited the malware's lateral movement by enforcing strict workload isolation, potentially reducing the spread to other resources.
Control: Multicloud Visibility & Control
Mitigation: Multicloud Visibility & Control could have constrained the establishment of command and control channels by monitoring and controlling outbound communications, potentially limiting unauthorized external connections.
Control: Egress Security & Policy Enforcement
Mitigation: Egress Security & Policy Enforcement could have limited data exfiltration by enforcing strict outbound policies, potentially reducing unauthorized data transfers.
The implemented controls could have reduced the scope of unauthorized financial transactions and system disruptions by limiting the attacker's reach within the environment.
Impact at a Glance
Affected Business Functions
- Software Development
- Continuous Integration/Continuous Deployment (CI/CD)
- System Administration
Estimated downtime: 14 days
Estimated loss: $5,000,000
Potential exposure of sensitive source code, API keys, and developer credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement strict code signing and validation processes for all third-party skills to prevent supply chain compromises.
- • Enforce zero trust segmentation to limit the impact of compromised components and prevent lateral movement.
- • Deploy egress security and policy enforcement to monitor and control outbound traffic, mitigating data exfiltration risks.
- • Utilize threat detection and anomaly response systems to identify and respond to malicious activities promptly.
- • Regularly audit and update security controls to address emerging threats in AI agent ecosystems.
