🚀JUST SHIPPED:
Continue CLI v1.5.44 shipped, lowkey solid patchv1.5.44Frappe v15.101.3: Workspace Shortcut Fix Shippedv15.101.3Textual v8.0.1: DirectoryTree goes threaded, GC gets leanerv8.0.1Cake v6.1.0 shipped: GitLab pipeline IDs, console colours, and dotnet fixesv6.1.0tRPC v11.11.0: Type Exports and Docs Polishv11.11.0Next.js v16.2.0-canary.70: Devtools, Prefetch Bundling, Cookiesv16.2.0-canary.70sbt 1.12.5 shipped: runner fixes and JDK validationv1.12.5Dokploy v0.28.2: GitHub nulls handled, queries snappierv0.28.2

OpenClaw Got 200k Stars in 90 Days Then Turned Into Malware: A Case Study in Trust

By TheVibeish Editorial
OpenClaw went from zero to GitHub hero in three months. 200,000 stars. Trending on Hacker News every other week. Everyone's favourite new CLI tool. Then someone actually read the update diff. Turns out version 2.3.0 quietly added some spicy new features: credential harvesting, phone-home telemetry to sketchy domains, and what security researchers politely call 'unauthorised system access'. The kind of stuff that makes your security team break out in hives. Here's the thing that actually bothers me: this shouldn't have been possible. 200,000 stars means tens of thousands of developers installed this thing. How many actually reviewed the code? How many just saw the star count and figured 'this many people can't be wrong'? We've gamified open source into a popularity contest, and now stars are social proof instead of code quality signals. A repo with 200k stars gets more trust than your bank's 2FA setup. That's unhinged. The OpenClaw maintainers claim their GitHub got compromised. Maybe. Probably, even. But the malicious code sat there for 11 days across 47,000 downloads before anyone noticed. Not because it was sophisticated. Because nobody was looking. This is where we've ended up: we'll spend three hours debating semicolons in a PR review, but we'll npm install thirty packages we've never heard of because the README has a cute logo. We'll star repos to bookmark them, inflating metrics into meaningless vanity numbers, then use those same metrics to decide what's safe to run with root access. The uncomfortable truth is that supply chain attacks work because we've built a supply chain held together with vibes and trust badges. We've collectively decided that 'lots of people use this' equals 'this is safe', which is the same logic that gives us JavaScript frameworks every six weeks. Solutions? Boring ones, mostly. Actually review dependency updates. Use lock files. Run security scans. The stuff we all know we should do but skip because we're shipping fast. OpenClaw is getting forked by trusted maintainers now. The malicious versions are being purged. Everything will be fine until the next one. Because there will be a next one. The incentives haven't changed, just the repo name. Maybe the real malware was the stars we collected along the way.

🔥 MORE HOT TAKES