Hacker Groups Massively Exploit OpenClaw Vulnerabilities to Steal API Keys and Deploy Malware

Part 01 – OpenClaw Mass Exploitation

Several hacker groups are widely abusing OpenClaw, an open‑source AI framework originally developed by Peter Steinberger (now at OpenAI). After a viral spread in late January 2026, the framework became a high‑risk attack target because it grants elevated privileges, persistent memory access, and integration with sensitive services.

Within 72 hours of large‑scale deployment, threat actors exploited multiple severe vulnerabilities, including a remote code execution flaw (CVE‑2026‑25253), supply‑chain poisoning, and credential theft via an exposed management interface. Flare analysts identified over 30,000 compromised OpenClaw instances used to steal API keys, intercept messages, and distribute malware through malicious communication channels such as Telegram.

Part 02 – ClawHavoc Attack Campaigns

On 29 January 2026, the early‑stage destructive operation named "ClawHavoc" was detected. The supply‑chain attack disguised payloads such as Atomic Stealer (macOS) and a Windows keylogger as legitimate encryption tools. Victims who ran the purported "install" script inadvertently installed the theft software, allowing attackers to extract persistent memory data and move laterally across enterprise networks.

In early February, a second campaign surfaced in the OpenClaw community marketplace: "ClawHub" skill poisoning. Because the platform allows open publishing without code review, attackers uploaded back‑doored "skills" from seemingly trustworthy GitHub accounts (e.g., Hightower6eu). These updates executed remote shell commands, enabling real‑time exfiltration of OAuth tokens, passwords, and API keys.

A Shodan scan on 18 February 2026 revealed more than 312,200 OpenClaw instances listening on the default port 18789, many without authentication and directly exposed to the Internet. Honeypot data showed that once the management interface is exposed, attacks begin within minutes.

Experts warn that the OpenClaw incidents mark a turning point for AI‑agent security, demonstrating how organized threat groups can quickly weaponize ecosystems that prioritize functionality over security. Flare recommends that enterprises using autonomous assistants protect API credentials, isolate AI workloads, and adopt security‑by‑design practices for future AI frameworks.