OpenClaw hit 200k stars in 90 days. Then came the malware.

In November 2025, Peter Steinberger pushed a weekend project to GitHub. Ninety days later, it had 200,000 stars, 42,000 exposed instances leaking credentials on the public internet, and a supply chain attack that made npm drama look quaint.

Then Sam Altman hired him.

OpenClaw (formerly Clawdbot, then Moltbot) is an autonomous AI agent that books flights, sends emails, executes shell commands, and automates tasks across third-party services. It's the fastest-growing open-source project in GitHub history. Two million devs hit the docs in a single week. Cisco called it "groundbreaking from a capability perspective" and "an absolute nightmare from a security perspective."

Both are correct.

The ClawHavoc supply chain attack

On January 25, 2026, security researcher Oren Yomtov audited all 2,857 skills on ClawHub, OpenClaw's official marketplace. He found 341 malicious packages. 335 belonged to a single coordinated campaign: ClawHavoc.

By February 16, the count hit 1,184 confirmed malicious skills. Bitdefender's independent analysis found roughly 900 bad packages across 10,700 total skills. That's 20 percent of the ecosystem.

The attack vector: social engineering, not code exploits. Each malicious skill shipped with professional docs, credible names like "solana-wallet-tracker" and "youtube-summarize-pro," and hundreds of lines of legitimate-looking README. Buried in the setup instructions was a "Prerequisites" section telling devs to download a helper tool or run a terminal command to "fix dependencies."

On macOS, that command installed Atomic Stealer (AMOS), a commodity infostealer that exfiltrates browser credentials, SSH keys, Telegram sessions, crypto wallets, and keychains. On Windows: keylogger plus remote access trojan. The payloads were wrapped inside otherwise functional code.

This is npm supply chain poisoning, except the packages have system-level access by default.

CVE-2026-25253: one-click remote code execution

On January 29, OpenClaw disclosed CVE-2026-25253 (CVSS 8.8). It's a one-click RCE via cross-site WebSocket hijacking.

The kill chain: dev visits malicious URL, auth token exfiltrated in milliseconds, attacker uses stolen token to disable agent sandbox via its own config API, then escapes Docker container to host machine. Full remote code execution. The gateway doesn't need to be internet-facing. Any authenticated user who clicks a link gets compromised.

Same day, OpenClaw published two additional high-impact command injection advisories.

42,000 instances exposed to the public internet

Censys tracked OpenClaw's public exposure growing from 1,000 to 21,000 instances in six days during late January. Security researcher Maor Dayan found 42,665 exposed instances, 5,194 actively verified as vulnerable. 93.4 percent had authentication bypass conditions.

These aren't hobby projects. Astrix Security found employees at multiple companies had deployed OpenClaw on corporate endpoints with configs granting remote access to Salesforce, GitHub, and Slack. Research by Thebiggish found 22 percent of enterprise OpenClaw instances were unauthorised shadow deployments by individual employees. Over half had privileged access to internal systems.

Meta banned OpenClaw from corporate networks. Cisco's analysis of a single popular skill, "What Would Elon Do?," found nine vulnerabilities: two critical, five high, including silent data exfiltration via curl commands.

Infostealers targeting AI agent "souls"

On February 13, researchers disclosed that Vidar infostealer had been updated to specifically target OpenClaw's .openclaw/ directory, exfiltrating not just browser passwords but the agent's entire identity: API keys, memory files, personality config, gateway tokens.

With that data, an attacker doesn't just access your accounts. They become your agent, with every permission, every memory, every tool connection intact. Researchers called it "a significant milestone: the transition from stealing browser credentials to harvesting the souls and identities of personal AI agents."

The 90-day timeline

• November 2025: Steinberger pushes weekend project to GitHub
• January 2026: 135,000 stars, 2M docs visitors in one week, ClawHub launches with 2,857 skills
• Late January: 21,000 exposed instances, 341 malicious skills discovered, CVE-2026-25253 disclosed
• February 2: CNBC profiles OpenClaw as "the AI agent generating buzz and fear globally"
• February 13: First infostealer confirmed stealing agent configs
• February 15: Sam Altman announces Steinberger joining OpenAI, OpenClaw moves to independent foundation
• February 16: 1,184 malicious skills confirmed, Meta bans OpenClaw from corporate networks

Ninety days from first commit to OpenAI acquihire. In between: the largest AI agent supply chain attack ever documented.

Why this matters

OpenClaw isn't a failure. It's a preview.

Every AI agent framework will face exactly this: a public marketplace for extensions, a trust model that assumes good faith, and adoption that outpaces security review by months.

ClawHub is the new npm. Skills are the new packages. Except this time the packages can read your SSH keys and send your Slack messages.

Steinberger built something devs wanted so badly they deployed 42,000 instances in weeks without reading security advisories. OpenAI bought that trajectory. The foundation will maintain the open-source project.

But the lesson isn't about one dev or one vulnerability. The lesson is that the AI agent ecosystem is growing exactly like the JavaScript ecosystem grew: fast, open, optimistically insecure. Except now the supply chain attacks have filesystem access.

The clock started in November. The first major attack arrived in January. Two months from "this is exciting" to "this is compromised."

For whatever AI agent framework ships next, that window will be shorter.