#openclaw

#openclaw

Researchers have discovered that a compromised npm publish token pushed an update for the widely-used Cline command line interface (CLI) containing a malicious postinstall script. That script installs the wildly popular, but increasingly condemned, agentic application OpenClaw on the unsuspecting user's machine. This can be extremely dangerous, as OpenClaw has broad system access and deep integrations with messaging platforms including WhatsApp, Telegram, Slack, Discord, iMessage, Teams, and others.

The viral AI personal assistant, formerly known as Clawdbot and Moltbot, has dominated the feeds of AI boosters over the past few weeks for its ability to perform everyday tasks like sending emails, managing calendars, booking appointments, and complaining about their meatbag masters on the purportedly all-agent forum known as MoltBook. More level-headed voices have already flagged a wave of security vulnerabilities.

Security experts have discovered tens of thousands of unsecured OpenClaw instances. The AI agents run vulnerable software versions and offer attackers access to systems. More than 12,000 instances are vulnerable to remote code execution. Researchers at SecurityScorecard have exposed a major security problem for the rapidly growing OpenClaw. Through internet scans, the team identified 28,663 unique IP addresses with exposed OpenClaw control panels spread across 76 countries.

The security hole, tracked as CVE-2026-25253, was patched in recent days with the release of version 2026.1.29. "This is a token exfiltration vulnerability that leads to full gateway compromise," the AI tool's developers explained in an advisory. "It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host."

If an OpenClaw user running a vulnerable version and configuration clicked on that link, an attacker could then trigger a cross-site WebSocket hijacking attack because the polyonymous AI project's server doesn't validate the WebSocket origin header. This means the OpenClaw server will accept requests from any website. A maliciously crafted webpage, in this case, can execute client-side JavaScript code on the victim's browser to retrieve an authentication token, establish a WebSocket connection to the server, and use that token to pass authentication.