Ethical Hacking News
MoltBot Skills Exploited to Distribute 400+ Malware Packages in Days
A recent campaign has exploited the MoltBot skills in OpenClaw, an open-source personal AI assistant platform, to distribute hundreds of malicious packages. The attackers used social engineering tactics and weak security checks on ClawHub's AI skills registry to trick users into running commands that installed password-stealing malware on Windows and macOS systems.
Malware developers exploited MoltBot skills in OpenClaw, an open-source personal AI assistant platform. The attack used social engineering tactics to trick users into running commands that installed password-stealing malware on Windows and macOS systems. The malicious skills posed as crypto trading tools to steal crypto keys, credentials, and passwords from unsuspecting users. The attackers managed to distribute hundreds of malicious skills using MoltBot skills exploited in OpenClaw. The campaign was a supply chain attack on Claude Code and Moltbot skills, targeting cryptocurrency traders for financial gain. Weak security checks in place on ClawHub's AI skills registry allowed the attackers to distribute malicious skills undetected. The attack required no technical exploits, relying instead on social engineering and lack of security review in the skills publication process.
Malware developers have recently found a way to exploit the MoltBot skills in OpenClaw, an open-source personal AI assistant platform. The malicious activities were discovered by researchers at OpenSourceMalware who noticed that hundreds of malicious OpenClaw packages were uploaded on ClawHub and GitHub. These malicious skills used social engineering tactics to trick users into running commands that installed password-stealing malware on Windows and macOS systems.
The malicious skills posed as crypto trading tools, with the goal of stealing crypto keys, credentials, and passwords from unsuspecting users. The attack relied on fake utilities presented as required authentication helpers but in reality were lured victims into running commands that downloaded malware from a shared command-and-control server. The attackers managed to distribute hundreds of these malicious skills using MoltBot skills exploited in OpenClaw.
The researchers also found that the campaign was a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware. This campaign relied on social engineering and weak security reviews, targeting cryptocurrency traders for financial gain. The attackers targeted users who used skills like "AuthTools" presented as required authentication helpers but were in reality fake utilities that lured victims into running commands that downloaded malware from a shared command-and-control server.
The malicious skills were discovered to be linked to an account called hightower6eu, which dominated the campaign by uploading dozens of near-identical skills that became some of the most downloaded on the platform. Despite being notified, the maintainer of ClawHub admitted that the registry cannot be secured and most malicious skills remain online.
The attackers used social engineering tactics in OpenClaw/ClawHub skills disguised as cryptocurrency tools. The documentation repeatedly instructed users to install so-called "AuthTools" presented as required authentication helpers but in reality were fake utilities that lured victims into running commands that downloaded malware from a shared command-and-control server. This attack was successful due to the weak security checks in place on ClawHub's AI skills registry.
The attackers targeted macOS and Windows users with scripts and binaries designed to bypass protections and steal crypto assets, credentials, and sensitive files. Hundreds of skills from multiple linked authors were involved, with many still available despite clear signs of malicious behavior. The researchers pointed out that this campaign was a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware.
The attack required no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process. The targeting of cryptocurrency traders suggests financial motivation and careful selection of high-value victims. This campaign highlights the importance of secure AI skill registries and the need for better security checks to prevent such malicious activities from occurring.
The researchers concluded that this campaign represents a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware. The attackers exploited the trust relationship between users and the skills platform to distribute information-stealing malware. The attack required no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process.
The researchers found that hundreds of malicious OpenClaw packages were uploaded in days using MoltBot skills to spread password-stealing malware. These malicious skills posed as crypto trading tools, with the goal of stealing crypto keys, credentials, and passwords from unsuspecting users. The attackers managed to distribute these malicious skills by exploiting weak security checks on ClawHub's AI skills registry.
The researchers discovered that the campaign was a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware. This campaign relied on social engineering and weak security reviews, targeting cryptocurrency traders for financial gain. The attackers targeted users who used skills like "AuthTools" presented as required authentication helpers but were in reality fake utilities that lured victims into running commands that downloaded malware from a shared command-and-control server.
The malicious skills were discovered to be linked to an account called hightower6eu, which dominated the campaign by uploading dozens of near-identical skills that became some of the most downloaded on the platform. Despite being notified, the maintainer of ClawHub admitted that the registry cannot be secured and most malicious skills remain online.
The attackers used social engineering tactics in OpenClaw/ClawHub skills disguised as cryptocurrency tools. The documentation repeatedly instructed users to install so-called "AuthTools" presented as required authentication helpers but in reality were fake utilities that lured victims into running commands that downloaded malware from a shared command-and-control server. This attack was successful due to the weak security checks in place on ClawHub's AI skills registry.
The attackers targeted macOS and Windows users with scripts and binaries designed to bypass protections and steal crypto assets, credentials, and sensitive files. Hundreds of skills from multiple linked authors were involved, with many still available despite clear signs of malicious behavior. The researchers pointed out that this campaign was a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware.
The attack required no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process. The targeting of cryptocurrency traders suggests financial motivation and careful selection of high-value victims. This campaign highlights the importance of secure AI skill registries and the need for better security checks to prevent such malicious activities from occurring.
The researchers concluded that this campaign represents a supply chain attack on Claude Code and Moltbot skills, using fake crypto-trading skills to trick users into installing info-stealing malware. The attackers exploited the trust relationship between users and the skills platform to distribute information-stealing malware. The attack required no technical exploits, instead relying on social engineering and the lack of security review in the skills publication process.
The researchers found that hundreds of malicious OpenClaw packages were uploaded in days using MoltBot skills to spread password-stealing malware. These malicious skills posed as crypto trading tools, with the goal of stealing crypto keys, credentials, and passwords from unsuspecting users. The attackers managed to distribute these malicious skills by exploiting weak security checks on ClawHub's AI skills registry.
Related Information:
https://www.ethicalhackingnews.com/articles/MoltBot-Skills-Exploited-to-Distribute-400-Malware-Packages-in-Days-ehn.shtml
https://securityaffairs.com/187562/malware/moltbot-skills-exploited-to-distribute-400-malware-packages-in-days.html
Published: Mon Feb 2 16:29:06 2026 by llama3.2 3B Q4_K_M
