200K GitHub Stars in 90 Days, Then Everything Broke

November 2025: Austrian dev Peter Steinberger ships a weekend project. February 2026: 200,000 GitHub stars, 42,000 exposed instances, 1,184 malicious packages in the marketplace, and a one-click RCE that works through a URL. Then OpenAI hires him.

OpenClaw (formerly Clawdbot, then Moltbot) is the fastest-growing OSS project in GitHub history. It's an autonomous AI agent that books flights, sends emails, executes shell commands, and automates third-party services. Two million devs hit the docs in a single week. Meta banned it from corporate networks. Cisco called it "groundbreaking from a capability perspective" and "an absolute nightmare from a security perspective."

Both are correct.

The ClawHavoc Campaign

January 25, 2026: security researcher Oren Yomtov audits all 2,857 skills on ClawHub, OpenClaw's official marketplace. He finds 341 malicious entries. 335 belong to a single coordinated campaign he names ClawHavoc.

By February 16: over 1,184 confirmed malicious skills. Bitdefender's independent analysis puts it at ~900 across 10,700 skills. Roughly 20 percent of the ecosystem.

The attack wasn't technical exploitation. It was social engineering transplanted to a platform where packages have system-level access by default. Each malicious skill used professional docs, credible names like "solana-wallet-tracker" and "youtube-summarise-pro," and hundreds of lines of README that looked legitimate. Buried in setup instructions: a "Prerequisites" section telling devs to download a helper tool or run a terminal command to "fix dependencies."

On macOS, that command installed Atomic Stealer (AMOS), a commodity infostealer that exfiltrates browser credentials, SSH keys, Telegram sessions, crypto wallets, and keychains. On Windows: keylogger plus remote access trojan. Payloads shipped inside otherwise functional code.

This is npm and PyPI supply chain poisoning, except the packages have shell access.

CVE-2026-25253: The One-Click Kill Chain

January 29: OpenClaw discloses CVE-2026-25253, rated 8.8 CVSS. One-click remote code execution via cross-site WebSocket hijacking.

The kill chain: dev visits a malicious URL. Auth token exfiltrated in milliseconds. Attacker uses stolen token to disable the agent's sandbox via its own config API. Then they escape the Docker container to the host machine. Full RCE. Gateway doesn't need to be internet-facing. Any authenticated user who clicks a link is compromised.

Same day: two additional high-impact advisories for command injection vulns.

42,000 Open Front Doors

Censys tracked OpenClaw's public exposure growing from 1,000 to 21,000 instances in six days during late January. Independent researcher Maor Dayan found 42,665 exposed instances, 5,194 actively verified as vulnerable. 93.4 percent had auth bypass conditions.

These aren't test deployments. Astrix Security found employees at multiple companies had deployed OpenClaw on corporate endpoints with configs that could give attackers remote access to Salesforce, GitHub, and Slack. Research by Thebiggish found 22 percent of enterprise OpenClaw instances were unauthorised shadow deployments by individual employees, over half with privileged access to internal systems.

Meta banned OpenClaw from corporate networks. Cisco's analysis of a single popular skill ("What Would Elon Do?") found nine vulns: two critical, five high, including silent data exfiltration via curl commands.

Stealing the Agent's Soul

February 13: researchers disclose that an infostealer successfully exfiltrated a victim's entire OpenClaw configuration. Not just browser passwords. The agent's identity: API keys, memory files, personality config, gateway tokens.

Researchers called it "a significant milestone in the evolution of infostealer behaviour: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents."

The variant was Vidar, a well-known credential stealer updated to specifically target OpenClaw's .openclaw/ directory. With that data, an attacker doesn't just access the victim's accounts. They become the victim's agent, with every permission, every memory, and every tool connection intact.

The 90-Day Timeline

• November 2025: Weekend project goes live
• January 2026: 135,000 stars. 2M doc visitors in one week. ClawHub launches with 2,857 skills
• Late January: 21,000 exposed instances. 341 malicious skills discovered. CVE-2026-25253 disclosed
• February 2: CNBC profiles OpenClaw as "the AI agent generating buzz and fear globally"
• February 13: First infostealer confirmed stealing OpenClaw agent configs
• February 15: Sam Altman announces Peter Steinberger joining OpenAI. OpenClaw moves to independent foundation. Altman calls Steinberger "a genius with a lot of amazing ideas about the future"
• February 16: 1,184 malicious skills confirmed. Meta bans OpenClaw from corporate networks

Ninety days from first commit to OpenAI acquihire. In between: the largest AI agent supply chain attack ever documented.

Why This Actually Matters

OpenClaw isn't a failure. It's a preview. Every AI agent framework will face exactly this: a public marketplace for extensions, a trust model that assumes good faith, and an adoption curve that outpaces security review by months.

ClawHub is the new npm. Skills are the new packages. Except the agents that install them don't just run JavaScript in a browser sandbox. They have access to your filesystem, your email, your credentials, and your company's internal APIs.

Steinberger built something devs wanted so badly they deployed 42,000 instances in weeks without reading the security advisories. OpenAI bought that trajectory. The foundation will maintain the OSS project. But the lesson isn't about one dev or one vuln.

The lesson is that the AI agent ecosystem is growing exactly the way the JavaScript ecosystem grew: fast, open, and optimistically insecure. Except this time the packages can read your SSH keys and send your Slack messages.

The clock started in November. The first major supply chain attack arrived in January. That's a two-month window between "this is exciting" and "this is compromised."

For whatever AI agent framework comes next, that window will be shorter.