Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens - The Hacker News

Infostealer Steals OpenClaw AI Agent Configuration Files and Gateway Tokens Ravie LakshmananFeb 16, 2026Artificial Intelligence / Threat Intelligence Cybersecurity researchers disclosed they have detected a case of an information stealer infection successfully exfiltrating a victim's OpenClaw (formerly Clawdbot and Moltbot) configuration environment. "This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI [artificial intelligence] agents," Hudson Rock said. Alon Gal, CTO of Hudson Rock, told The Hacker News that the stealer was likely a variant of Vidar based on the infection details. Vidar is an off-the-shelf information stealer that's known to be active since late 2018. That said, the cybersecurity company said the data capture was not facilitated by a custom OpenClaw module within the stealer malware, but rather through a "broad file-grabbing routine" that's designed to look for certain file extensions and specific directory names containing sensitive data. This included the following files - openclaw.json, which contains details related to the OpenClaw gateway token, along with the victim's redacted email address and workspace path. device.json, which contains cryptographic keys for secure pairing and signing operations within the OpenClaw ecosystem. soul.md, which contains details of the agent's core operational principles, behavioral guidelines, and ethical boundaries. It's worth noting that the theft of the gateway authentication token can allow an attacker to connect to the victim's local OpenClaw instance remotely if the port is exposed, or even masquerade as the client in authenticated requests to the AI gateway. "While the malware may have been looking for standard 'secrets,' it inadvertently struck gold by capturing the entire operational context of the user's AI assistant," Hudson Rock added. "As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today." The disclosure comes as security issues with OpenClaw prompted the maintainers of the open-source agentic platform to announce a partnership with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations. Last week, the OpenSourceMalware team detailed an ongoing ClawHub malicious skills campaign that uses a new technique to bypass VirusTotal scanning by hosting the malware on lookalike OpenClaw websites and using the skills purely as decoys, instead of embedding the payload directly in their SKILL.md files. "The shift from embedded payloads to external malware hosting shows threat actors adapting to detection capabilities," security researcher Paul McCarty said. "As AI skill registries grow, they become increasingly attractive targets for supply chain attacks." Another security problem highlighted by OX Security concerns Moltbook, a Reddit-like internet forum designed exclusively for artificial intelligence agents, mainly those running on OpenClaw. The research found that an AI Agent account, once created on Moltbook, cannot be deleted. This means that users who wish to delete the accounts and remove the associated data have no recourse. What's more, an analysis published by SecurityScorecard's STRIKE Threat Intelligence team has also found hundreds of thousands of exposed OpenClaw instances, potentially making users susceptible to remote code execution (RCE) risks. Fake OpenClaw Website Serving Malware "RCE vulnerabilities allow an attacker to send a malicious request to a service and execute arbitrary code on the underlying system," the cybersecurity company said. "When OpenClaw runs with permissions to email, APIs, cloud services, or internal resources, an RCE vulnerability can become a pivot point. A bad actor does not need to break into multiple systems. They need one exposed service that already has authority to act." OpenClaw has had a viral surge in interest since it first debuted in November 2025. As of writing, the open-source project has more than 200,000 stars on GitHub. On February 15, 2026, OpenAI CEO Sam Altman said OpenClaw's founder, Peter Steinberger, would be joining the AI company, adding, "OpenClaw will live in a foundation as an open source project that OpenAI will continue to support." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  artificial intelligence, Cloud security, cybersecurity, Infostealer, Malware, Open Source, supply chain attack, Threat Intelligence, Vulnerability Trending News ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Load More ▼ Popular Resources [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats [Guide] Learn How to Govern AI Agents With Proven Market Guidance