Home
News
Details

ClawHub Market Infected with 1,184 Malicious Skills Targeting SSH Keys and Crypto Wallets

iconTechFlow
Share
Share IconShare IconShare IconShare IconShare IconShare IconCopy
AI summary iconSummary

expand icon
ClawHub Market was targeted by 1,184 malicious packages targeting SSH keys and crypto wallets, according to TechFlow. One attacker uploaded 677 malicious packages, accounting for 57% of the total. These packages employ social engineering and prompt injection to steal browser passwords and enable reverse shells. OpenClaw is collaborating with VirusTotal to remove them. The incident underscores CFT (Countering the Financing of Terrorism) concerns within liquidity and crypto markets.

According to Awesome Agents, security researchers have discovered a severe supply chain attack on OpenClaw’s ClawHub plugin marketplace, with 1,184 malicious skills identified. These malicious skills are capable of stealing SSH keys, cryptocurrency wallets, browser passwords, and enabling reverse shells. Research shows that a single attacker uploaded 677 malicious packages, accounting for 57% of all malicious listings. Of all skills on ClawHub, 36.8% contain at least one security vulnerability, and over 135,000 exposed OpenClaw instances have been detected across 82 countries worldwide. The most popular malicious skill, "What Would Elon Do," was found to contain nine vulnerabilities, two of which are classified as critical. This skill achieved the top ranking through 4,000 fake downloads. These malicious skills primarily exploit "ClickFix" social engineering techniques and prompt injection attacks to target both users and AI agents simultaneously. OpenClaw has partnered with VirusTotal to scan all skills and remove malicious listings. Security experts recommend that users who have used ClawHub skills change all credentials, revoke API keys, and review their security settings.

Source:Show original
Disclaimer: The information on this page may have been obtained from third parties and does not necessarily reflect the views or opinions of KuCoin. This content is provided for general informational purposes only, without any representation or warranty of any kind, nor shall it be construed as financial or investment advice. KuCoin shall not be liable for any errors or omissions, or for any outcomes resulting from the use of this information. Investments in digital assets can be risky. Please carefully evaluate the risks of a product and your risk tolerance based on your own financial circumstances. For more information, please refer to our Terms of Use and Risk Disclosure.