Infostealer malware targets OpenClaw AI agents, stealing API keys and authentication tokens

Infostealer malware found stealing OpenClaw secrets for first time

With the massive adoption of the OpenClaw agentic AI assistant, information-stealing malware has been spotted stealing files associated with the framework that contain API keys, authentication tokens, and other secrets. OpenClaw (formerly ClawdBot and MoltBot) is a local-running AI agent framework that maintains a persistent configuration and memory environment on the user's machine. The tool can access local files, log in to email and communication apps on the host, and interact with online services. Since its release, OpenClaw has seen widespread adoption worldwide, with users using it to help manage everyday tasks and act as an AI assistant. However, there has been concern that, given its popularity, threat actors may begin targeting the framework's configuration files, which contain authentication secrets used by the AI agent to access cloud-based services and AI platforms. Hudson Rock says they have documented the first in-the-wild instance of infostealers stealing files associated with OpenClaw to extract secrets stored within them. "Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim's OpenClaw configuration environment," reads the report. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents." HudsonRock had predicted this development since late last month, calling OpenClaw "the new primary target for infostealers" due to the highly sensitive data the agents handle and their relatively lax security posture. Alon Gal, co-founder and CTO of Hudson Rock, told BleepingComputer that it is believed to be a variant of the Vidar infostealer, with the data stolen on February 13, 2026, when the infection took place. Gal said the infostealer does not appear to target OpenClaw specifically, but instead executes a broad file-stealing routine that scans for sensitive files and directories containing keywords like "token" and "private key." As the files in the ".openclaw" configuration directory contained these keywords and others, they were stolen by the malware. The OpenClaw files stolen by the malware are: HudsonRock's AI analysis tool concluded that the stolen data is enough to potentially enable a full compromise of the victim's digital identity. The researchers comment that they expect information stealers to continue focusing on OpenClaw as the tool becomes increasingly integrated into professional workflows, incorporating more targeted mechanisms for AI agents. Meanwhile, Tenable discovered a max-severity flaw in nanobot, an ultra-lightweight personal AI assistant inspired by OpenClaw, that could potentially allow remote attackers to hijack WhatsApp sessions via exposed instances fully. Nanobot, released two weeks ago, already has 20k stars and over 3k forks on GitHub. The team behind the project released fixes for the flaw, tracked under CVE-2026-2577, in version 0.13.post7.

Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens

Cybersecurity researchers disclosed they have detected a case of an information stealer infection successfully exfiltrating a victim's OpenClaw (formerly Clawdbot and Moltbot) configuration environment. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said. Alon Gal, CTO of Hudson Rock, told The Hacker News that the stealer was likely a variant of Vidar based on the infection details. Vidar is an off-the-shelf information stealer that's known to be active since late 2018. That said, the cybersecurity company said the data capture was not facilitated by a custom OpenClaw module within the stealer malware, but rather through a "broad file-grabbing routine" that's designed to look for certain file extensions and specific directory names containing sensitive data. This included the following files - It's worth noting that the theft of the gateway authentication token can allow an attacker to connect to the victim's local OpenClaw instance remotely if the port is exposed, or even masquerade as the client in authenticated requests to the AI gateway. "While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user's AI assistant," Hudson Rock added. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today." The disclosure comes as security issues with OpenClaw prompted the maintainers of the open-source agentic platform to announce a partnership with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations. Last week, the OpenSourceMalware team detailed an ongoing ClawHub malicious skills campaign that uses a new technique to bypass VirusTotal scanning by hosting the malware on lookalike OpenClaw websites and using the skills purely as decoys, instead of embedding the payload directly in their SKILL.md files. "The shift from embedded payloads to external malware hosting shows threat actors adapting to detection capabilities," security researcher Paul McCarty said. "As AI skill registries grow, they become increasingly attractive targets for supply chain attacks." Another security problem highlighted by OX Security concerns Moltbook, a Reddit-like internet forum designed exclusively for artificial intelligence agents, mainly those running on OpenClaw. The research found that an AI Agent account, once created on Moltbook, cannot be deleted. This means that users who wish to delete the accounts and remove the associated data have no recourse. What's more, an analysis published by SecurityScorecard's STRIKE Threat Intelligence team has also found hundreds of thousands of exposed OpenClaw instances, likely exposing users to remote code execution (RCE) risks. "RCE vulnerabilities allow an attacker to send a malicious request to a service and execute arbitrary code on the underlying system," the cybersecurity company said. "When OpenClaw runs with permissions to email, APIs, cloud services, or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act." OpenClaw has had a viral surge in interest since it first debuted in November 2025. As of writing, the open-source project has more than 200,000 stars on GitHub. On February 15, 2026, OpenAI CEO Sam Altman said OpenClaw's founder, Peter Steinberger, would be joining the AI company, adding, "OpenClaw will live in a foundation as an open source project that OpenAI will continue to support."

OpenClaw AI agents targeted by infostealer malware for the first time

Researchers warn infostealers may soon add dedicated modules to parse AI agent data, raising risks for professional workflow Thanks to its overnight success and widespread adoption, OpenClaw has painted a large target on its back and is now being attacked by infostealers, after security researchers Hudson Rock claimed to have seen a first-of-its-kind attack in the wild. OpenClaw (previously known as Clawdbot and Moltbot) is an open source AI assistant software designed to actually complete tasks, rather than just answer questions or generate multimedia. Users can set it up on their personal computers or servers, and connect it to apps such as Telegram, calendars, and similar, after which it can do practical tasks like managing emails, scheduling meetings and tasks, and automating workflows. But to set it up properly, users must give it certain secrets such as API keys, or authentication tokens. These get stored in the tool's configuration files which, if stolen, can grant attackers access to different apps and tools. Now, according to Hudson Rock, this is exactly what's now happening: "Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim's OpenClaw configuration environment," the company said in a report. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents." In this specific incident, the hackers weren't targeting OpenClaw itself - they simply managed to deploy an infostealer that grabbed as many sensitive files from the compromised system as possible. However, Hudson Rock expects this to change "rapidly", as more and more cybercriminals realize the value of OpenClaw configuration data. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today," the researchers concluded. Via BleepingComputer