Kevin J.S. Duska Jr. | Signal Cage | February 17, 2026 | Breaking News |
The numbers about the OpenClaw Security Crisis are moving fast enough that any figure printed here may already be outdated. That, in itself, is the story as the development and weaponization of AI moves at a blistering pace.
SecurityScorecard’s STRIKE threat intelligence team reported more than 135,000 internet-facing OpenClaw instances as of this writing — a figure that stood at just over 40,000 when STRIKE published its initial report hours earlier the same day. The acceleration is not a rounding error. It is a real-time picture of an attack surface expanding faster than remediation can track it, and it is happening against a tool that has been deployed — often carelessly, frequently with default settings untouched — across individual workflows, small businesses, and, increasingly, organizational infrastructure.
OpenClaw (formerly Clawdbot, formerly Moltbot — the project has gone through rapid rebrands since its release in November 2025) is an open-source AI agent framework that runs locally and connects to large language models. It is not a passive chatbot. It can access local files, log in to email and communication apps, and interact with online services. When connected to corporate SaaS tools, the blast radius of a compromise extends to Slack messages, email, calendar entries, cloud documents, and every OAuth token the agent has been granted. The agent’s persistent memory means any data it accesses remains available across sessions.
The tool’s adoption curve is without recent precedent. OpenClaw reached the 100,000 GitHub star milestone in a fraction of the time it took other meteoric open-source projects to get there. That velocity is precisely the problem. Security review does not scale with viral adoption, and the gap between what gets deployed and what gets audited is where every major open-source security failure of the last decade has lived.
The Infostealer Campaign
Hudson Rock disclosed that an infostealer infection successfully exfiltrated a victim’s OpenClaw configuration environment, describing the finding as a significant milestone in infostealer evolution — the transition from stealing browser credentials to harvesting the “souls” and identities of personal AI agents. Hudson Rock CTO Alon Gal identified the malware as likely a variant of the Vidar infostealer, with the data stolen on February 13, 2026. Vidar has been active since 2018 and is available as an off-the-shelf criminal tool, meaning the barrier to running this campaign is low.
The specific files targeted tell you what is at stake. The theft of a gateway authentication token can allow an attacker to connect to a victim’s local OpenClaw instance remotely if the port is exposed, or to masquerade as the client in authenticated requests to the AI gateway. In practical terms: an attacker with a stolen token does not need to exploit a vulnerability. They authenticate as the legitimate user and issue instructions to the agent directly.
The CVE and the Scale Problem
CVE-2026-25253, scored at CVSS 8.8, exploited the Control UI’s trust of a gatewayUrl parameter from the query string without validation. On page load, the interface auto-connected to the specified URL and transmitted the stored authentication token via WebSocket. The attack chain requires the victim to visit a single malicious page. Security researchers confirmed the full sequence executes in milliseconds.
The patch exists. OpenClaw released version 2026.1.29 addressing the vulnerability before public disclosure. The problem is uptake. As of the most recent STRIKE data, more than 50,000 instances remain vulnerable to this specific RCE bug despite the patch being available.
The exposed instances are associated with 28,663 unique IP addresses. Information services is the most impacted industry, followed by technology, manufacturing, and telecommunications. Several reports note that many exposed instances appear to originate from corporate IP space rather than individual hobbyists, shifting the risk profile from isolated experimentation to potential enterprise-level compromise.
The Supply Chain Layer
The vulnerability picture is not limited to CVEs. The OpenSourceMalware team documented an ongoing ClawHub malicious skills campaign using a technique to bypass VirusTotal scanning by hosting malware on lookalike OpenClaw websites and using the skills purely as decoys rather than embedding payloads directly in their SKILL.md files. The adaptation is notable: when VirusTotal scanning of skill packages became a standard detection method, the campaign moved the payload off-registry entirely. Detection tools are being actively gamed.
The Structural Problem Nobody Is Fixing
SecurityScorecard VP of threat intelligence Jeremy Turner put it plainly: “It’s like giving some random person access to your computer to help do tasks. If you supervise and verify, it’s a huge help. If you just walk away and tell them all future instructions will come via email or text message, they might follow instructions from anyone.”
That framing captures the architectural problem precisely. OpenClaw is not a misconfigured tool that can be secured with better defaults. It is a tool whose utility depends on the same properties that make it dangerous — persistent system access, broad integration with external services, and the ability to act on instructions it receives from the environment. Those properties cannot be patched away. They can only be constrained, monitored, and managed.
On February 15, OpenAI CEO Sam Altman announced that OpenClaw founder Peter Steinberger would be joining the company. OpenClaw will continue under a foundation as an open-source project. What foundation governance means for the security architecture — whether it accelerates hardening or introduces a new coordination gap during the transition — remains to be seen.
For a full technical breakdown of the vulnerabilities, deployment hardening checklists for AWS, GCP, Azure, and VPS environments, and a security assessment of the ClawHub supply chain compromise, see the OpenClaw security deployment hardening guide at our parent company Prime Rogue Inc.
Signal Cage covers emerging technology threats and intelligence developments | OSINT analysis by Prime Rogue Inc.
