OpenClaw Security Alert: Agent Takeover and Malicious npm Package

Recent issues surrounding OpenClaw can be summarized in one sentence: locally running executable agents are becoming a new attack surface. According to OpenClaw’s official security documentation, this agent can perform arbitrary shell command execution, file read and write operations, network service access, and message sending depending on configuration. In other words, it goes far beyond a typical chatbot and is closer to an executable tool that actually connects and operates between the local system and external services. If compromised, the impact can extend beyond simple information exposure and lead to command execution, credential access, data collection, and exfiltration in a chained sequence.

This issue can be broadly divided into 2 tracks.

• The first is the OpenClaw core vulnerability known as ClawJacked.

  • According to Oasis Security and related reports, if a user runs the OpenClaw Gateway on localhost and visits a malicious website, browser JavaScript can connect to the local WebSocket and attempt password brute forcing. If authentication succeeds, the attacker can register as a trusted device and take control of the agent. This issue has already been patched by OpenClaw, and according to Oasis the fix requires applying 2026.2.25 or later.

• The second is a more direct supply chain issue involving active compromise.

  • According to reporting cited by The Hacker News, an npm package named @openclaw-ai/openclawai was distributed while impersonating the OpenClaw installer. The package was uploaded on March 3, 2026, and had 178 downloads at the time of reporting. When installed, the package executes a postinstall routine that reinstalls itself globally and launches an interface designed to resemble the legitimate installer. Internally, however, it executes a multi stage payload called GhostLoader, which installs remote access functionality (remote access / RAT) and performs information stealing.

What makes the analysis more concerning is that this malicious package is not a simple dropper. Reported capabilities include access to macOS Keychain and iCloud Keychain, collection of browser stored passwords, cookies, card information and autofill data, harvesting of SSH keys and cryptocurrency wallet information, access to iMessage data, persistence mechanisms, remote command execution, SOCKS5 proxy functionality, and browser session cloning. In other words, a package that a developer may believe is simply installing OpenClaw could actually function as a malicious chain that converts the entire developer workstation into a remotely controllable asset.

Based on publicly disclosed information, this case is closer to a situation where two different characteristics coexist, rather than one that can be explained by a small set of fixed IoCs. One is the OpenClaw core vulnerability exploited through localhost WebSocket (ClawJacked), and the other is the distribution of a malicious npm package impersonating the OpenClaw installer. In other words, one should be understood as vulnerability exploitation, while the other represents intrusion based on impersonated packages.

The core issue here is not simply a malicious package using the name of a popular open source project. The more important shift is that agents running locally with command execution capability and external integrations are becoming operational assets. OpenClaw’s official security documentation explicitly states that this agent may have permissions related to shell execution, file access, network connectivity, and messaging. Ultimately, what attackers target is not a single executable file, but the local privileges connected to the agent, the external integration permissions it holds, stored memory or session context, and the entire workflow linked to it. Particular caution is required in development environments, testing environments, personal automation environments, and shadow AI assets.

PAGO MDR Center Response to the OpenClaw Incident

The PAGO MDR Center operates through a workflow of threat research and investigation → threat hunting → detection engineering to effectively detect related threats.

The key principle in this type of threat detection is not relying solely on a single file name or hash. Instead, PAGO focuses on identifying a continuous chain of behaviors that lead to compromise, including localhost based agent communication, abnormal postinstall execution, credential access, exfiltration, and persistence establishment. This perspective aligns with the OpenClaw permission structure as well as with public analysis showing that ClawJacked and the impersonated npm package each lead to compromise through local service abuse and installation chain contamination.

In other words, this case does not end as an issue affecting a single OpenClaw product. ClawJacked represents a problem where a localhost based agent can be taken over through a malicious webpage, while the impersonated npm package represents a problem where the installation chain is compromised, leading directly to remote control and information theft. The forms differ, but the outcome is the same. Both ultimately convert systems running executable agents into attacker footholds, enabling command execution, credential access, persistence establishment, and external data transfer.

The PAGO MDR Center interprets this type of incident not as a product specific issue but as a new operational attack surface emerging across developer endpoints and testing assets. From an operational perspective, the key point is not simply which tool is being used, but rather which agents are installed, where they are running, what local privileges and external integration permissions they possess, and how installation and access chains involving npm, scripts, and browser based interactions are controlled. Going forward, beyond the traditional perspectives of EDR, proxy, and browser security, there is a need to observe localhost based agent communication, abnormal postinstall execution, credential access on developer systems, external data transfer, and persistence registration as part of a single attack flow. The OpenClaw case clearly illustrates this turning point.

Sources:

• OpenClaw Official Docs

• Oasis Security

• The Hacker News

  
  

Written by: Siwoo Lee Threat Analyst | DeepACT MDR Center